layui-src 2.6.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the layui-src package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering. How to fix Cross-site Scripting (XSS)? Upgrade `layui-src` to version 2.6.8 or higher.	<2.6.8
M Cross-site Scripting (XSS) layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). `layer.msg` does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack. PoC With `layui.css` under `./dist/css/` and `layui.js` under `./dist/` (relative to `index.html) index.html: <! DOCTYPE html> <html> <head> <meta charset ="utf-8"> <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1"> <title> Start using layui </title> <link rel ="stylesheet"href ="dist/css/layui.css"> </head> <body> <script src="dist/layui.js"></script> <script> // Generally written directly in a js file layui.use(['layer', 'form'], function(){ var layer = layui.layer, form = layui.form ; layer.msg("<script>window.location.href='http://www.google.com'<\/script>"); }); </script> </body> </html> How to fix Cross-site Scripting (XSS)? There is no fixed version for `layui-src`.	*

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via table rendering.

How to fix Cross-site Scripting (XSS)?

Upgrade layui-src to version 2.6.8 or higher.

<2.6.8

Cross-site Scripting (XSS)

layui-src is an is a front-end UI framework written using its own module specifications. It follows the native HTML/CSS/JS writing and organization form.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). layer.msg does not sanitize its input. An attacker that can control part of the input message which can be used to deliver a Cross-Site Scripting attack.

PoC

With layui.css under ./dist/css/ and layui.js under ./dist/ (relative to `index.html)

index.html:

<! DOCTYPE  html>
<html>
<head>
  <meta charset ="utf-8"> 
  <meta name="viewport"content ="width=device-width, initial-scale=1, maximum-scale=1">  
  <title> Start using layui </title>
  <link rel ="stylesheet"href ="dist/css/layui.css">  
</head>
<body>
 
<script src="dist/layui.js"></script> 
<script>
// Generally written directly in a js file
layui.use(['layer', 'form'], function(){  
  var layer = layui.layer, form = layui.form ; 
  layer.msg("<script>window.location.href='http://www.google.com'<\/script>");
});
</script> 
</body>
</html>

How to fix Cross-site Scripting (XSS)?

There is no fixed version for layui-src.

layui-src@2.6.6 vulnerabilities

Classic modular Front-End UI library

latest version

first published

latest version published

deprecated

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC