Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
Vulnerability Description
Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Mesh Connect JS SDK 跨站脚本漏洞
Vulnerability Description
Mesh Connect JS SDK是Mesh开源的一个Java库。 Mesh Connect JS SDK 3.3.2之前版本存在跨站脚本漏洞,该漏洞源于createLink.openLink函数未对URL协议进行清理,可能导致执行任意JavaScript代码。
CVSS Information
N/A
Vulnerability Type
N/A