Description
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
Remediation
References
https://github.com/yairEO/tagify/releases/tag/v4.9.8
https://snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358
https://github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7
https://github.com/yairEO/tagify/issues/988
https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/
Related Vulnerabilities
CVE-2023-33202 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on
CVE-2020-14195 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2022-24785 Vulnerability in maven package org.webjars.bowergithub.moment:moment
CVE-2023-50449 Vulnerability in maven package com.jfinal:jfinal
CVE-2019-10648 Vulnerability in maven package net.sf.robocode:robocode