CVE-2021-32851

jQuery MiniColors vulnerable to Cross-site Scripting

CVSS 6.1 MEDIUMEPSS 0.7%CWE-79

In short

jQuery MiniColors plugin fails to properly sanitize user input in color values, allowing attackers to inject malicious JavaScript code that executes in the browser of anyone viewing the affected page. This can lead to theft of sensitive data or unauthorized actions on behalf of users.

Technical detail

Cross-site scripting vulnerability in jQuery MiniColors color input handling due to insufficient input validation. An attacker can inject malicious script through untrusted menu data, which executes in the victim's browser context with the privileges of the vulnerable application. Exploitation requires user interaction with crafted color input.

Summary generated and translated by AI from the official description.

Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted menus. This issue is patched in version 0.18.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

npm · mind-elixir

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ssshooter/mind-elixir-core/blob/79942a68b14c8875ab7d270b1ad25bfff351b04c/src/plugin/contextMenu.js#L13 https://github.com/ssshooter/mind-elixir-core/commit/073485269ac83af24371f35bd08507defa885655 https://securitylab.github.com/advisories/GHSL-2021-1047_Mind-elixir/