CVE-2023-1001

LOW

NPM Vxe-table < 3.7.10 - XSS

Title source: rule

Description

A vulnerability, which was classified as problematic, has been found in xuliangzhan vxe-table up to 3.7.9. This issue affects the function export of the file packages/textarea/src/textarea.js of the component vxe-textarea. The manipulation of the argument inputValue leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.7.10 is able to address this issue. The patch is named d70b0e089740b65a22c89c106ebc4627ac48a22d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-266123.

Exploits (2)

gitee STUB 24 stars

by xuliangzhan · javascriptpoc

https://gitee.com/xuliangzhan_admin/vxe-table/tree/3.7.10

View Code ZIP pw:eip

gitee 24 stars

by xuliangzhan · javascriptwriteup

https://gitee.com/xuliangzhan_admin/vxe-table/issues/I8O21R

References (5)

[Various Sources] https://gitee.com/xuliangzhan_admin/vxe-table/tree/3.7.10

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.266123

[Permissions Required, VDB Entry] https://vuldb.com/?id.266123

[Patch] https://gitee.com/xuliangzhan_admin/vxe-table/commit/d70b0e089740b65a22c89c106ebc4627ac48a22d

View Patch ZIP pw:eip

[Issue Tracking] https://gitee.com/xuliangzhan_admin/vxe-table/issues/I8O21R

Scores

CVSS v3 3.5

EPSS 0.0018

EPSS Percentile 39.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-79

Status draft

Affected Products (1)

npm/vxe-table < 3.7.10npm

Timeline

Published May 24, 2024

Tracked Since Feb 18, 2026