layui-src@2.5.5 vulnerabilities

Classic modular Front-End UI library

latest version

2.6.8
first published

7 years ago
latest version published

3 years ago
licenses detected
- MIT
  >=0
View layui-src package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the layui-src package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering. How to fix Cross-site Scripting (XSS)? Upgrade `layui-src` to version 2.6.8 or higher.	<2.6.8
M Cross-site Scripting (XSS) layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). `layer.msg` does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack. PoC With `layui.css` under `./dist/css/` and `layui.js` under `./dist/` (relative to `index.html) index.html: <! DOCTYPE html> <html> <head> <meta charset ="utf-8"> <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1"> <title> Start using layui </title> <link rel ="stylesheet"href ="dist/css/layui.css"> </head> <body> <script src="dist/layui.js"></script> <script> // Generally written directly in a js file layui.use(['layer', 'form'], function(){ var layer = layui.layer, form = layui.form ; layer.msg("<script>window.location.href='http://www.google.com'<\/script>"); }); </script> </body> </html> How to fix Cross-site Scripting (XSS)? There is no fixed version for `layui-src`.	*

Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering.

How to fix Cross-site Scripting (XSS)?

Upgrade layui-src to version 2.6.8 or higher.

<2.6.8

Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). layer.msg does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack.

PoC

With layui.css under ./dist/css/ and layui.js under ./dist/ (relative to `index.html)

index.html:

<! DOCTYPE  html>
<html>
<head>
  <meta charset ="utf-8"> 
  <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1">  
  <title> Start using layui </title>
  <link rel ="stylesheet"href ="dist/css/layui.css">  
</head>
<body>
 
<script src="dist/layui.js"></script> 
<script>
// Generally written directly in a js file
layui.use(['layer', 'form'], function(){  
  var layer = layui.layer, form = layui.form ; 
  layer.msg("<script>window.location.href='http://www.google.com'<\/script>");
});
</script> 
</body>
</html>

How to fix Cross-site Scripting (XSS)?

There is no fixed version for layui-src.

Go back to all versions of this package

layui-src@2.5.5 vulnerabilities

Classic modular Front-End UI library

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

PoC