Cross-site Scripting (XSS) Affecting materialize-css package, versions *


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.09% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-MATERIALIZECSS-174148
  • published9 Apr 2019
  • disclosed8 Apr 2019
  • creditlucianot54

Introduced: 8 Apr 2019

CVE-2019-11002  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

There is no fixed version for materialize-css.

Overview

materialize-css is a CSS Framework based on Material Design.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unescaped text being inserted into the Document Object Model (DOM).

A vulnerability can arise when user input is provided to the tooltip component. Typically "safe" data is used as part of this feature such as application data generated server-side. However there are cases where it may be reasonable to use user generated content. As such, this could allow a malicious user to pass a specially crafted JavaScript payload and render them within the element.

PoC

<a class="btn tooltipped" data-position="bottom" data-tooltip="<IFRAME SRC='javascript:alert(document.cookie);'></IFRAME></script>">Hover me!</a>

Details

CVSS Scores

version 3.1