Headline
GHSA-cfxh-frx4-9gjg: Cross-site Scripting in @spscommerce/ds-react
Impact
XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS.
Patches
The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher
Workarounds
This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended.
References
https://github.com/SPSCommerce/woodland/blob/c49e999f97f3c0b56502859f4de1e8c6666dd74d/packages/ds-react/src/option-list/SpsOptionList.tsx#L559
Package
npm @spscommerce/ds-react (npm)
Affected versions
>= 4.12.2, < 7.17.4
Patched versions
7.17.4
Description
Impact
XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS.
Patches
The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher
Workarounds
This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended.
References
https://github.com/SPSCommerce/woodland/blob/c49e999f97f3c0b56502859f4de1e8c6666dd74d/packages/ds-react/src/option-list/SpsOptionList.tsx#L559
References
- https://github.com/SPSCommerce/woodland/security/advisories/GHSA-cfxh-frx4-9gjg
Published to the GitHub Advisory Database
Dec 15, 2023
Reviewed
Dec 15, 2023