CVE-2022-0776
Cross site scripting in reveal.js
6.1
MEDIUM
CVSS 3.1
EPSS 10.3%
Description
The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can execute arbitrary javascript code on victim's browser window hosting reveal.js
How to fix CVE-2022-0776
To remediate CVE-2022-0776, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.0 or later
Is CVE-2022-0776 being exploited?
Moderate — EPSS is 10.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 4.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |