Versions of ids-enterprise prior to 4.18.2 are vulnerable to Cross-Site Scripting (XSS). The soho-dropdown component does not properly encode its output and may allow attackers to execute arbitrary JavaScript.

Recommendation

Upgrade to version 4.18.2 or later

References

• infor-design/enterprise-ng#503
• infor-design/enterprise@6bd74d8
• https://www.npmjs.com/advisories/956