If a user controlled value for url was fed to the function, it could lead to a denial of service condition due to a recursive function call. A remote attacker could leverage this vulnerability to serve malicious code to users or to crash the web application that is using the vulnerable library.
10. A Cross-site scripting (XSS) flaw was discovered in the server where index.js in the server’s index.js file failed to validate user input before using it to update the server’s time.
In the following excerpt from server.js, a remote attacker can inject malicious code into the server: script>alert(“You’re on a XSS”);/script>
Mitigation Strategies
The issue can be mitigated by sanitizing user input before using it to update the server’s time.
CWE-20: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
Timeline
Published on: 10/14/2022 16:15:00 UTC
Last modified on: 11/17/2022 14:13:00 UTC
References
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107
- https://github.com/webpack/loader-utils/issues/213
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37603