layui-src@2.3.0 vulnerabilities

Classic modular Front-End UI library

Direct Vulnerabilities

Known vulnerabilities in the layui-src package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering.

How to fix Cross-site Scripting (XSS)?

Upgrade layui-src to version 2.6.8 or higher.

<2.6.8
  • M
Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). layer.msg does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack.

PoC

With layui.css under ./dist/css/ and layui.js under ./dist/ (relative to `index.html)

index.html:

<! DOCTYPE  html>
<html>
<head>
  <meta charset ="utf-8"> 
  <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1">  
  <title> Start using layui </title>
  <link rel ="stylesheet"href ="dist/css/layui.css">  
</head>
<body>
 
<script src="dist/layui.js"></script> 
<script>
// Generally written directly in a js file
layui.use(['layer', 'form'], function(){  
  var layer = layui.layer, form = layui.form ; 
  layer.msg("<script>window.location.href='http://www.google.com'<\/script>");
});
</script> 
</body>
</html>

How to fix Cross-site Scripting (XSS)?

There is no fixed version for layui-src.

*