-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The jstree package is vulnerable to Cross-Site Scripting (XSS) #2772
Comments
get_node is an internal function. I struggle to see how you could pass user input to it - maybe it is application dependent? Please share a demo of the XSS so that I can provide a fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are using SonaType for scanning binaries that we use.
The jstree package is vulnerable to Cross-Site Scripting (XSS). The get_node() function in jstree.js passes the user input to JQuery in an unsafe manner. A remote attacker can exploit this vulnerability to execute arbitrary JavaScript in a victim's browser context.
fd63728762c93892f506e158be58a0d98034ccff.zipKarmabunny-sprout3-fd63728/src/media/js/jstree.min.js( , 3.3.6)
The application is vulnerable by using this component.
we are using vakata-jstree-3.3.16
Is there a version of this component that is not vulnerable to this specific issue?
Thanks
Kind regards
Idris
The text was updated successfully, but these errors were encountered: