{"id":"GHSA-r96p-v3cr-gfv8","summary":"Cross-site Scripting (XSS) in @scullyio/scully","details":"This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page.","aliases":["CVE-2020-28470"],"modified":"2026-03-13T21:57:08.672477Z","published":"2021-04-13T15:28:01Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-79"],"severity":"HIGH","nvd_published_at":"2021-01-14T10:15:00Z","github_reviewed_at":"2021-04-06T21:40:15Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28470"},{"type":"WEB","url":"https://github.com/scullyio/scully/pull/1182"},{"type":"PACKAGE","url":"https://github.com/scullyio/scully"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-JS-SCULLYIOSCULLY-1055829"}],"affected":[{"package":{"name":"@scullyio/scully","ecosystem":"npm","purl":"pkg:npm/%40scullyio/scully"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-r96p-v3cr-gfv8/GHSA-r96p-v3cr-gfv8.json"}},{"package":{"name":"@scullyio/ng-lib","ecosystem":"npm","purl":"pkg:npm/%40scullyio/ng-lib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-r96p-v3cr-gfv8/GHSA-r96p-v3cr-gfv8.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}