Vulnerability Details : CVE-2022-25873
The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2022-25873
Probability of exploitation activity in the next 30 days: 0.15%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 50 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-25873
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST |
4.6
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
2.1
|
2.5
|
Snyk |
CWE ids for CVE-2022-25873
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-25873
-
https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176
fix(VCalendar): prevent XSS from eventName function · vuetifyjs/vuetify@ade1434 · GitHubPatch;Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858
Cross-site Scripting (XSS) in vuetify | CVE-2022-25873 | SnykThird Party Advisory
-
https://github.com/vuetifyjs/vuetify/issues/15757
[Bug Report][2.6.9] xss in v-calendar · Issue #15757 · vuetifyjs/vuetify · GitHubIssue Tracking;Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407
Cross-site Scripting (XSS) in org.webjars.bowergithub.vuetifyjs:vuetify | CVE-2022-25873 | SnykThird Party Advisory
-
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406
Cross-site Scripting (XSS) in org.webjars.npm:vuetify | CVE-2022-25873 | SnykThird Party Advisory
-
https://codepen.io/5v3n-08/pen/MWGKEjY
Just a moment...Exploit;Third Party Advisory
Products affected by CVE-2022-25873
- cpe:2.3:a:vuetifyjs:vuetify:*:*:*:*:*:*:*:*
- cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta9:*:*:*:*:*:*