CVE-2013-4170
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
30/06/2022
Last modified:
09/07/2022
Description
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). This vulnerability only affects applications that assign or bind user-provided content to `tagName`.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Base Score 2.0
2.60
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:emberjs:ember.js:*:*:*:*:*:*:*:* | 1.0.0 (excluding) | |
| cpe:2.3:a:emberjs:ember.js:1.0.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:emberjs:ember.js:1.0.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:emberjs:ember.js:1.0.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:emberjs:ember.js:1.0.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:a:emberjs:ember.js:1.0.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:a:emberjs:ember.js:1.0.0:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page