CVE-2019-11002: Materialize-css vulnerable to Cross-site Scripting in tooltip component
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47673%
CWE
Published
4/9/2019
Updated
8/28/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
materialize-css | npm | <= 1.0.0 | |
@materializecss/materialize | npm | < 1.1.0-alpha | 1.1.0-alpha |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the tooltip component's failure to sanitize user-controlled input (via 'data-tooltip' attributes) before rendering. Evidence from the GitHub issue #6286 shows explicit examples of XSS via <IFRAME> tags in tooltips, and the pull request #49 in the fork introduces 'unsafeHTML' flags and textContent usage to mitigate this. The core issue lies in functions handling tooltip content rendering, specifically those processing HTML without sanitization. The Tooltip.init
and renderTooltip()
functions are logical points where this unsafe injection would occur based on Materialize's architecture and the described vulnerability mechanism.