CVE-2019-16769Cross-site Scripting in Serialize-javascript

CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.4%
top 38.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Yahoo Serialize-javascriptVerizon Serialize-javascript
Timeline
PublishedDec 5
Latest updateJun 17

Description

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulne

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

CVEListV5yahoo/serialize-javascript< 2.1.1

🔴Vulnerability Details

2
OSV
Cross-Site Scripting in serialize-javascript2019-12-05
GHSA
Cross-Site Scripting in serialize-javascript2019-12-05

📋Vendor Advisories

1
Red Hat
npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions2020-05-04

💬Community

1
Bugzilla
CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions2020-06-17