Miggo Logo
Miggo Vulnerability Database
GHSA-cfxh-frx4-9gjg

GHSA-cfxh-frx4-9gjg: Cross-site Scripting in @spscommerce/ds-react

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-cfxh-frx4-9gjg
EPSS Score
-
CWE
CWE-79
Published
12/15/2023
Updated
12/15/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
@spscommerce/ds-reactnpm>= 4.12.2, < 7.17.47.17.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability manifests in SPS Select component options rendering
  2. The GitHub reference directly points to line 559 in SpsOptionList.tsx
  3. XSS typically occurs when unsanitized user input reaches DOM operations
  4. The workaround recommendation to sanitize options implies the component wasn't handling sanitization
  5. React applications vulnerable to XSS often have dangerous pattern matches like:
    • Using dangerouslySetInnerHTML with user content
    • Direct text interpolation in JSX without escaping
  6. The line number location suggests this is where option content gets rendered to the DOM

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t XSS, *nyon* usin* t** SPS S*l**t wit* options prop popul*t** *rom us*r input is imp**t**. I* t**s* options *r* stor**, t**n it *oul* **v* ***n * stor** XSS. ### P*t***s T** *o** **s ***n p*t**** *or v*rsion * o* woo*l*n*. Us*rs s*oul* up

Reasoning

*. T** vuln*r**ility m*ni**sts in SPS S*l**t *ompon*nt options r*n**rin* *. T** *it*u* r***r*n** *ir**tly points to lin* *** in SpsOptionList.tsx *. XSS typi**lly o**urs w**n uns*nitiz** us*r input r*****s *OM op*r*tions *. T** work*roun* r**omm*n**t