CVE-2022-24709

Cross site scripting in @awsui/components-react

CVSS 8.8 HIGHEPSS 0.7%CWE-79

In short

The AWS UI React component library had a flaw where user input wasn't properly cleaned, allowing attackers to inject malicious JavaScript code. This could let attackers execute unwanted scripts in users' browsers when they interact with affected components.

Technical detail

CWE-79 Cross-Site Scripting (XSS) vulnerability in @awsui/components-react versions before 3.0.367 where multiple components fail to sanitize user-supplied input. An attacker can inject arbitrary JavaScript through vulnerable component props, resulting in code execution in the victim's browser context if the application uses the affected components with untrusted data.

Summary generated and translated by AI from the official description.

@awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. Multiple components in versions before 3.0.367 have been found to not properly neutralize user input and may allow for javascript injection. Users are advised to upgrade to version 3.0.367 or later. There are no known workarounds for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

aws · awsui-documentation

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/aws/awsui-documentation/security/advisories/GHSA-mf22-92pm-m8p8 https://www.npmjs.com/package/%40awsui/components-react