foundation-sites@5.5.3 vulnerabilities

The most advanced responsive front-end framework in the world.

Direct Vulnerabilities

Known vulnerabilities in the foundation-sites package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

foundation-sites is an advanced responsive front-end framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to an insufficient fix to npm:foundation-sites:20150619

Thanks to Nathaniel Paulus for disclosing this vulnerability!

Although innerHTML does not make script tags executable, script tags are not the only way to run arbitrary code.

This vulnerability was introduced in a deliberate attempt to allow HTML in captions. The file was subsequently deleted when version 6 was merged into the develop branch in 1e08494bb2118c9786ffc33c28158311cd542bcb. Confirmation of its removal (as well as plans to re-add it) can be found in issue 7759

How to fix Cross-site Scripting (XSS)?

Upgrade foundation-sites to version 6.0.0 or higher.

<6.0.0