@antv/g2

vulnerability cross-site scripting (xss)
severity 5.4
language typescript
registry npm

Description

@antv/g2 is vulnerable to Cross-Site Scripting (XSS).

Proof of Concept

  1. Install the package with npm i @antv/g2or try the live demo here https://g2.antv.vision/en/examples/case/pie#pie3
  2. Edit any of the type field and add the payload <img src=x onerror=alert(1)>
  3. XSS payload will get executed. poc

Impact

An attacker is able to execute malicious JavaScript.