Upgrade git-interface to version 2.1.2 or higher.

layui-src@2.5.15 vulnerabilities

Classic modular Front-End UI library

latest version

2.6.8

first published

7 years ago

latest version published

3 years ago

deprecated

Package is deprecated

licenses detected

MIT
>=0

View layui-src package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the layui-src package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering. How to fix Cross-site Scripting (XSS)? Upgrade `layui-src` to version 2.6.8 or higher.	<2.6.8
M Cross-site Scripting (XSS) layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). `layer.msg` does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack. PoC With `layui.css` under `./dist/css/` and `layui.js` under `./dist/` (relative to `index.html) index.html: <! DOCTYPE html> <html> <head> <meta charset ="utf-8"> <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1"> <title> Start using layui </title> <link rel ="stylesheet"href ="dist/css/layui.css"> </head> <body> <script src="dist/layui.js"></script> <script> // Generally written directly in a js file layui.use(['layer', 'form'], function(){ var layer = layui.layer, form = layui.form ; layer.msg("<script>window.location.href='http://www.google.com'<\/script>"); }); </script> </body> </html> How to fix Cross-site Scripting (XSS)? There is no fixed version for `layui-src`.	*

Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering.

How to fix Cross-site Scripting (XSS)?

Upgrade layui-src to version 2.6.8 or higher.

<2.6.8

Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). layer.msg does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack.

PoC

With layui.css under ./dist/css/ and layui.js under ./dist/ (relative to `index.html)

index.html:

<! DOCTYPE  html>
<html>
<head>
  <meta charset ="utf-8"> 
  <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1">  
  <title> Start using layui </title>
  <link rel ="stylesheet"href ="dist/css/layui.css">  
</head>
<body>
 
<script src="dist/layui.js"></script> 
<script>
// Generally written directly in a js file
layui.use(['layer', 'form'], function(){  
  var layer = layui.layer, form = layui.form ; 
  layer.msg("<script>window.location.href='http://www.google.com'<\/script>");
});
</script> 
</body>
</html>

How to fix Cross-site Scripting (XSS)?

There is no fixed version for layui-src.

Go back to all versions of this package