Description

A cross-Site Scripting (XSS) vulnerability in this.showInvalid and this.showInvalidCountry in SmartyStreets liveAddressPlugin.js 3.2 allows remote attackers to inject arbitrary web script or HTML via any address parameter (e.g., street or country).

Remediation

References

https://github.com/smartystreets-archives

https://jsfiddle.net/smartystreets/Lx2dbsaa/

https://www.guidepointsecurity.com/liveaddressplugin-js-vulnerability-disclosure/

Related Vulnerabilities

CVE-2022-27200 Vulnerability in maven package io.jenkins.plugins:folder-auth

CVE-2014-3630 Vulnerability in maven package com.typesafe.play:play_2.10

CVE-2021-23327 Vulnerability in maven package org.webjars.npm:apexcharts

CVE-2022-41714 Vulnerability in npm package fastest-json-copy

CVE-2019-10095 Vulnerability in maven package org.apache.zeppelin:zeppelin

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory Exploit