CVE-2021-32850
jQuery MiniColors vulnerable to Cross-site Scripting
In short
jQuery MiniColors, a color picker tool, allows attackers to inject malicious code through color names. If a website uses this tool with untrusted input, attackers can execute scripts in users' browsers.
Technical detail
jQuery MiniColors versions prior to 2.3.6 contain a stored or reflected XSS vulnerability in color name parameter handling. The attack vector requires an attacker to supply malicious input through color name fields; the vulnerability allows arbitrary JavaScript execution in the context of the affected web application, impacting confidentiality and integrity of user sessions.
Summary generated and translated by AI from the official description.
jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untrusted color names. This issue is patched in version 2.3.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
npm · @claviska/jquery-minicolorsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/claviska/jquery-minicolors/commit/ef134824a7f4110ada53ea6c173111a4fa2f48f3https://github.com/claviska/jquery-minicolors/releases/tag/2.3.6https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MC5HV4ESLV2E23YGHNJ542QEZBH6YE2F/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDXBWA54A7D6HMR2TN5BAYNCU7HO2PUO/https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/