CVE-2022-25873
MEDIUMvuetify 2.0.0-beta.4-2.6.10 - Cross-Site Scripting in VCalendar eventName Function
Title source: llmDescription
The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.
References (6)
Core 6
Core References
Third Party Advisory x_refsource_misc
https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858
Third Party Advisory x_refsource_misc
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406
Third Party Advisory x_refsource_misc
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407
Patch, Third Party Advisory x_refsource_misc
https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/vuetifyjs/vuetify/issues/15757
Exploit, Third Party Advisory x_refsource_misc
https://codepen.io/5v3n-08/pen/MWGKEjY
Scores
CVSS v3
4.6
EPSS
0.0055
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
npm/vuetify
2.0.0-beta.4 - 2.6.10npm
org.webjars.npm/vuetify
2.0.0-beta.4 - 2.6.10Maven
vuetifyjs/vuetify
2.0.0 beta4 (6 CPE variants)
vuetifyjs/vuetify
2.0.1 - 2.6.10
Published
Sep 18, 2022
Tracked Since
Feb 18, 2026