Cross-Site Scripting Vulnerability in Phoenix.HTML by Phoenix Framework
CVE-2021-46871

6.1MEDIUM

Key Information:

Vendor: Phoenixframework
Status: Phoenix Html
Vendor: CVE Published:; 10 January 2023

🔔 Create Phoenixframework Vulnerability Alert

What is CVE-2021-46871?

The vulnerability in Phoenix.HTML, specifically in the tag.ex component, allows for Cross-Site Scripting (XSS) attacks through HEEx class attributes. This can enable attackers to inject malicious scripts into web pages processed by the affected versions, leading to potential data theft, session hijacking, and other security risks. Developers using versions prior to 3.0.4 are advised to upgrade to mitigate this vulnerability.

References

https://github.com/advisories/GHSA-j3gg-r6gp-95q2

https://github.com/phoenixframework/phoenix_html/commit/6...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2023
Vulnerability Reserved
Jan 10, 2023

CVE-2021-46871 Data

JSON