Skip to content

sweetalert2 v10.16.10 and above contains hidden functionality

Low severity GitHub Reviewed Published Nov 23, 2022 to the GitHub Advisory Database • Updated Jan 11, 2023

Package

npm sweetalert2 (npm)

Affected versions

>= 10.16.10, < 11.0.0

Patched versions

None

Description

sweetalert2 versions 10.16.10 and up until 11.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 10.0.0 - 10.16.9.

Workaround

Use a version 10.0.0 - 10.16.9 of the package until the maintainer releases a fix.

References

Published to the GitHub Advisory Database Nov 23, 2022
Reviewed Nov 23, 2022
Last updated Jan 11, 2023

Severity

Low

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-457r-cqc8-9vj9

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.