5.4

CVSS Score

Basic Information

CVE ID

CVE-2022-25349

GHSA ID

GHSA-7jvx-f994-rfw2

EPSS Score

CWE

CWE-79

Published

5/3/2022

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25349

CVE-2022-25349:
materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

(GitHub Advisory)

5.4

CVSS Score

Basic Information

CVE ID

CVE-2022-25349

GHSA ID

GHSA-7jvx-f994-rfw2

EPSS Score

CWE

CWE-79

Published

5/3/2022

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
materialize-css	npm	<= 1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation specifically references the autocomplete component and improper input escaping in autocomplete.js. While the exact line number reference is broken, materialize-css's autocomplete implementation uses _renderDropdown to create suggestion elements. The PoC demonstrates XSS via suggestion labels containing HTML payloads, indicating the rendering function inserts content without proper sanitization. The use of .html() instead of .text() for user-controlled input would explain the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** m*t*ri*liz*-*ss *r* vuln*r**l* to *ross-sit* S*riptin* (XSS) *u* to improp*r *s**p* o* us*r input (su** *s <not-*-t** /&*t;) t**t is **in* p*rs** *s *TML/J*v*S*ript, *n* ins*rt** into t** *o*um*nt O*j**t Mo**l (*OM). T*is v

Reasoning

T** vuln*r**ility *o*um*nt*tion sp**i*i**lly r***r*n**s t** *uto*ompl*t* *ompon*nt *n* improp*r input *s**pin* in *uto*ompl*t*.js. W*il* t** *x**t lin* num**r r***r*n** is *rok*n, m*t*ri*liz*-*ss's *uto*ompl*t* impl*m*nt*tion us*s _r*n**r*rop*own to

5.4

Basic Information

Concerned about an active attack path?

CVE-2022-25349: materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-25349:
materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

Vulnerability Intelligence
Miggo AI