CVE-2022-25929 : The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site

The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.

Published 2022-12-21 05:15:11

Updated 2025-04-16 19:15:46

Source Snyk

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-25929

Smoothiecharts » Smoothie Charts » For Node.js
Versions from including (>=) 1.31.0 and before (<) 1.36.1
cpe:2.3:a:smoothiecharts:smoothie_charts:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-25929

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-25929

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	2.8	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	2.8	2.5	Snyk
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-25929

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-25929

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368

Cross-site Scripting (XSS) in org.webjars.bower:smoothie | CVE-2022-25929 | Snyk
Exploit
https://github.com/joewalnes/smoothie/pull/147

fix: potential XSS when `tooltipLabel` or `strokeStyle` are controlled by users by WofWca · Pull Request #147 · joewalnes/smoothie · GitHub
Patch;Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364

Cross-site Scripting (XSS) in smoothie | CVE-2022-25929 | Snyk
Exploit;Third Party Advisory
https://github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98

fix: potential XSS when `tooltipLabel` or `strokeStyle` are controlle… · joewalnes/smoothie@8e0920d · GitHub
Patch;Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369

Cross-site Scripting (XSS) in org.webjars:smoothie | CVE-2022-25929 | Snyk
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-25929

Products affected by CVE-2022-25929

Exploit prediction scoring system (EPSS) score for CVE-2022-25929

CVSS scores for CVE-2022-25929

CWE ids for CVE-2022-25929

References for CVE-2022-25929