Moderate severityNVD Advisory· Published May 1, 2022· Updated Sep 17, 2024

Cross-site Scripting (XSS)

CVE-2022-25349

Description

All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
materialize-cssnpm	<= 1.0.0	—

Affected products

materialize-css/materialize-cssdescription
ghsa-coords
pkg:npm/materialize-css
Range: <= 1.0.0

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-7jvx-f994-rfw2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-25349ghsaADVISORY
github.com/Dogfalo/materialize/blob/v1-dev/js/autocomplete.js%23L285%20ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2766498ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-MATERIALIZECSS-2324800ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000