CVE-2016-1000227
Cross-Site Scripting in bootstrap-tagsinput
Description
All versions of `bootstrap-tagsinput` are vulnerable to cross-site scripting when user input is passed into the `itemTitle` parameter unmodified, as the package fails to properly sanitize or encode user input for that parameter. ## Recommendation This package is not actively maintained, and has not seen an update since 2015. Because of this, the simplest mitigation is to avoid using the `itemTitle` parameter. With over 200 open issues and over 100 open pull requests as of 2/2018, it seems unlikely that the author has any intention of maintaining the module. If avoiding the use of `itemTitle` indefinitely is acceptable, this is a workable solution. If not, the best available mitigation is to use a fork of the module that is actively maintained and provides similar functionality. There are [many such forks to choose from available on github.](https://github.com/bootstrap-tagsinput/bootstrap-tagsinput/network/members).
How to fix CVE-2016-1000227
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2016-1000227 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2016-1000227.
Affected packages (1)
- from 0, <= 0.8.0