Description
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.
Remediation
References
https://github.com/lightning-viz/lightning/blob/master/app/controllers/session.js
https://github.com/lightning-viz/lightning/blob/master/app/controllers/session.js%23L230
https://snyk.io/vuln/SNYK-JS-LIGHTNINGSERVER-1019381
Related Vulnerabilities
CVE-2021-21353 Vulnerability in maven package org.webjars.npm:pug
CVE-2022-21803 Vulnerability in npm package nconf
CVE-2022-36083 Vulnerability in npm package jose-node-cjs-runtime
CVE-2022-24999 Vulnerability in npm package qs
CVE-2022-36915 Vulnerability in maven package org.jenkins-ci.plugins:android-signing