Skip to content

sweetalert2 v9.17.4 and above contains hidden functionality

Low severity GitHub Reviewed Published Nov 23, 2022 to the GitHub Advisory Database • Updated Jan 11, 2023

Package

npm sweetalert2 (npm)

Affected versions

>= 9.17.4, < 10.0.0

Patched versions

None

Description

sweetalert2 versions 9.17.4 and up until 10.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 9.0.0 - 9.17.3.

Workaround

Use a version 9.0.0 - 9.17.3 of the package until the maintainer releases a fix.

References

Published to the GitHub Advisory Database Nov 23, 2022
Reviewed Nov 23, 2022
Last updated Jan 11, 2023

Severity

Low

EPSS score

Weaknesses

Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-pg98-6v7f-2xfv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.