CVE-2021-32860

iziModal vulnerable to Cross-site Scripting

CVSS 6.1 MEDIUMEPSS 0.6%CWE-79

In short

iziModal, a jQuery modal plugin, fails to safely handle user-provided titles, allowing attackers to inject malicious code that runs in users' browsers. This can lead to theft of sensitive data or unauthorized actions on the website.

Technical detail

The vulnerability exists in iziModal versions before 1.6.1 due to improper input sanitization of the `title` parameter during modal instantiation. An attacker who can control the title field can inject arbitrary HTML or JavaScript that executes in the victim's browser context, enabling XSS attacks. Mitigation requires updating to version 1.6.1 or later.

Summary generated and translated by AI from the official description.

iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. An attacker who is able to influence the field `title` when creating a `iziModal` instance is able to supply arbitrary `html` or `javascript` code that will be rendered in the context of a user, potentially leading to `XSS`. Version 1.6.1 contains a patch for this issue

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

npm · iziModal

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/marcelodolza/iziModal/commit/01728ac52bac5c1b4512087dafe0ad8b091fdc9e https://github.com/marcelodolza/iziModal/issues/249 https://securitylab.github.com/advisories/GHSL-2021-1044_iziModal/