CVE-2020-7642

aFarkas/lazysizes

on github

Published

April 22, 2020

Severity

CVSS v3:

5.4 MEDIUM

CVSS v2:

3.5 LOW

Description

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript.

References

https://snyk.io/vuln/SNYK-JS-LAZYSIZES-567144
https://github.com/aFarkas/lazysizes/commit/3720ab8262552d4e063a38d8492f9490a231fd48

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:lazysizes_project:lazysizes::::::::	n/a	5.2.0 (including)	*

External Links

NVD - CVE-2020-7642