VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 1, 2022· Updated Apr 23, 2025

Cross Site Scripting (XSS) in ssr-pages

CVE-2022-24717

Description

Cross-site scripting (XSS) in ssr-pages prior to 0.1.5 via untrusted redirect.link input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) in ssr-pages prior to 0.1.5 via untrusted redirect.link input.

Vulnerability

In ssr-pages versions prior to 0.1.5, a cross-site scripting (XSS) issue exists in the build(MessagePageOptions) function. The redirect.link property is not properly sanitized, allowing insertion of arbitrary HTML or JavaScript when untrusted input is provided.

Exploitation

An attacker can exploit this by supplying untrusted input to the redirect.link property. This input is then rendered in the generated HTML page without proper encoding, leading to script injection. The attacker must be able to control the argument passed to the build function.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, or defacement.

Mitigation

The issue is patched in version 0.1.5. Users should upgrade to this version or later. No workarounds are available as of publication [1].

References
  1. NVD - CVE-2022-24717

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@finastra/ssr-pagesnpm
< 0.1.50.1.5

Affected products

2

Patches

1
98abc59e28fe
https://github.com/Finastra/ssr-pagesvia ghsa
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.