Vulnerabilities

 1 via 1 paths

Dependencies

 2

Source

 GitHub

Commit

 7ab00056

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: lazysizes
  • Introduced through: lazysizes@3.0.0

Detailed paths

  • Introduced through: website-template@marcobiedermann/website-boilerplate#7ab000563958c9c463240db723f6686377ef6eb3 lazysizes@3.0.0
    Remediation: Upgrade to lazysizes@5.2.1.

Overview

lazysizes is a fast (jank-free), SEO-friendly and self-initializing lazyloader for images (including responsive images picture/srcset), iframes, scripts/widgets and much more. It also prioritizes resources by differentiating between crucial in view and near view elements to make perceived performance even faster.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unsafe usage of innerHTML. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript.

PoC

<html>
<head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/lazysizes/5.2.0/lazysizes.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/lazysizes/5.2.0/plugins/video-embed/ls.video-embed.min.js"></script>
</head>
<body>
    <div class="ratio-16-9 lazyload" data-youtube="M7lc1UVf-VE" data-ytparams="&quot;&gt;&lt;/iframe&gt;&lt;img src=x onerror=alert(1)&gt;">
        <button class="play-btn">play</button>
    </div>    
</body>
</html>

Details

Remediation

Upgrade lazysizes to version 5.2.1-rc1 or higher.

References

Cross-site Scripting (XSS) vulnerability report