@hbtv/pro-form@1.4.17

Vulnerabilities

1 via 4 paths

Dependencies

400

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

XML External Entity (XXE) Injection

  • Vulnerable module: jstoxml
  • Introduced through: @hbtv/media-upload@2.1.15, @hbtv/html-editor@1.0.21 and others

Detailed paths

  • Introduced through: @hbtv/pro-form@1.4.17 @hbtv/media-upload@2.1.15 ali-oss@6.16.0 jstoxml@0.2.4
  • Introduced through: @hbtv/pro-form@1.4.17 @hbtv/html-editor@1.0.21 @hbtv/media-upload@2.1.15 ali-oss@6.16.0 jstoxml@0.2.4
  • Introduced through: @hbtv/pro-form@1.4.17 @hbtv/list-input@1.4.19 @hbtv/media-upload@2.1.15 ali-oss@6.16.0 jstoxml@0.2.4
  • Introduced through: @hbtv/pro-form@1.4.17 @hbtv/list-input@1.4.19 @hbtv/style-input@1.0.11 @hbtv/media-upload@2.1.15 ali-oss@6.16.0 jstoxml@0.2.4

Overview

jstoxml is a Converts JavaScript/JSON to XML (for RSS, Podcasts, AMP, etc.)

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection due to not escaping special characters.

Remediation

Upgrade jstoxml to version 2.0.0 or higher.

References