Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in `jspdf.js`, when user-controlled values are passed to the `options` argument, then included unsanitized in the generated HTML and opened by another user. An attacker can cause the execution of scripts in the victim's browser context by supplying malicious input to the `pdfObjectUrl` option for `"pdfobjectnewwindow"`, the `pdfJsUrl` and `filename` options for `"pdfjsnewwindow"`, and the `filename` option for `"dataurlnewwindow"`. How to fix Cross-site Scripting (XSS)? Upgrade `jspdf` to version 4.2.1 or higher.	<4.2.1
M Improper Encoding or Escaping of Output jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `createAnnotation()` method, whose `color` parameter can be injected with script objects. An attacker can inject PDF objects as freetext annotations, which may be executed when a user opens the file. How to fix Improper Encoding or Escaping of Output? Upgrade `jspdf` to version 4.2.1 or higher.	<4.2.1

Cross-site Scripting (XSS)

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in jspdf.js, when user-controlled values are passed to the options argument, then included unsanitized in the generated HTML and opened by another user. An attacker can cause the execution of scripts in the victim's browser context by supplying malicious input to the pdfObjectUrl option for "pdfobjectnewwindow", the pdfJsUrl and filename options for "pdfjsnewwindow", and the filename option for "dataurlnewwindow".

How to fix Cross-site Scripting (XSS)?

Upgrade jspdf to version 4.2.1 or higher.

<4.2.1

Improper Encoding or Escaping of Output

jspdf is a PDF Document creation from JavaScript

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the createAnnotation() method, whose color parameter can be injected with script objects. An attacker can inject PDF objects as freetext annotations, which may be executed when a user opens the file.

How to fix Improper Encoding or Escaping of Output?

Upgrade jspdf to version 4.2.1 or higher.

<4.2.1

Go back to all versions of this package