CVE-2023-34412

Summary

CVE-2023-38687 is a vulnerability affecting Svelecte, a flexible autocomplete/select component written in Svelte. The issue lies in the fact that Svelecte item names are rendered as raw HTML without any escaping, making it possible to inject arbitrary HTML into the Svelecte dropdown. This can lead to the execution of untrusted JavaScript when a dropdown is opened, posing a significant risk of XSS attacks, clickjacking, and other malicious activities. Since item names appear to be rendered as HTML by default, any HTML tags within the names are treated as HTML elements rather than text. This vulnerability can impact applications that utilize Svelecte with dynamically generated items from external sources or user-created content, increasing the risk of XSS attacks. To mitigate this issue, Content Security Policies that block inline JavaScript are recommended. The vulnerability has been addressed in version 3.16.3, and users are advised to upgrade immediately. Unfortunately, there are no known workarounds for this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.