Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) fava is a web interface for the accounting tool Beancount Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when handling tooltips in `charts/bar.ts`, `charts/context.ts`, `charts/line.ts`, and `charts/tooltip.ts` for the conversion filter on the income statement dashboard. An attacker in possession of the Beancount journal name and the base URL in use can exploit this vulnerability. How to fix Cross-site Scripting (XSS)? Upgrade `fava` to version 1.22.3 or higher.	[,1.22.3)
H Cross-site Scripting (XSS) fava is a web interface for the accounting tool Beancount Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `time` and `filter` parameters, due to the lack of escaping of error messages. An attacker in possession of a private Beancount journal name and base URL can supply arbitrary commands via the vulnerable parameters in a crafted URL which a user is convinced to follow. How to fix Cross-site Scripting (XSS)? Upgrade `fava` to version 1.22 or higher.	[,1.22)
H Cross-site Scripting (XSS) fava is a web interface for the accounting tool Beancount Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `query_string` parameter. An attacker in possession of a private Beancount journal name and base URL can supply arbitrary commands via the vulnerable parameter in a crafted URL which a user is convinced to follow. How to fix Cross-site Scripting (XSS)? Upgrade `fava` to version 1.22.2 or higher.	[,1.22.2)

Go back to all versions of this package