CVE-2020-7642
MEDIUMlazysizes < 5.2.0 - Cross-Site Scripting via Video Embed Plugin Parameters
Title source: llmDescription
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-LAZYSIZES-567144
Patch, Third Party Advisory x_refsource_misc
https://github.com/aFarkas/lazysizes/commit/3720ab8262552d4e063a38d8492f9490a231fd48
Scores
CVSS v3
5.4
EPSS
0.0089
EPSS Percentile
54.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
lazysizes_project/lazysizes
< 5.2.0
npm/lazysizes
0 - 5.2.1npm
Published
Apr 22, 2020
Tracked Since
Feb 18, 2026