Severity: high

    Cross-Site Scripting

    shave

    Overview

    Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.

    Remediation

    Upgrade to version 2.5.3 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Apr 19th, 2019
    2. reported

      Reported by tom
      Apr 18th, 2019