{"id":"GHSA-rf66-hmqf-q3fc","summary":"Improper Neutralization of Input During Web Page Generation in Select2","details":"In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.","aliases":["CVE-2016-10744"],"modified":"2023-11-08T03:58:21.390626Z","published":"2022-05-14T01:14:56Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-79"],"github_reviewed_at":"2022-07-06T20:04:29Z","severity":"MODERATE","nvd_published_at":"2019-03-27T04:29:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10744"},{"type":"WEB","url":"https://github.com/select2/select2/issues/4587"},{"type":"WEB","url":"https://github.com/snipe/snipe-it/pull/6831"},{"type":"WEB","url":"https://github.com/snipe/snipe-it/pull/6831/commits/5848d9a10c7d62c73ff6a3858edfae96a429402a"},{"type":"PACKAGE","url":"https://github.com/select2/select2"}],"affected":[{"package":{"name":"select2","ecosystem":"npm","purl":"pkg:npm/select2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.0.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rf66-hmqf-q3fc/GHSA-rf66-hmqf-q3fc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}