CVE-2018-8046
Last modified
CVE-2018-8046 is a vulnerability of currently unknown severity. The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks, even when passed HTML-escaped data. This framework brings no built-in XSS protection, so the developer has to ensure that data is correctly sanitized. EPSS estimates a 67.01% chance of exploitation in the next 30 days.
Description
The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks, even when passed HTML-escaped data. This framework brings no built-in XSS protection, so the developer has to ensure that data is correctly sanitized. However, the getTip() method of Action Columns takes HTML-escaped data and un-escapes it. If the tooltip contains user-controlled data, an attacker could exploit this to create a cross-site scripting attack, even when developers took precautions and escaped data.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sencha | Ext Js | >= 4.0.0, < 6.6.0 |
References
- http://examples.sencha.com/extjs/6.6.0/release-notes.htmlRelease Notes, Vendor Advisory
- http://seclists.org/fulldisclosure/2018/Jul/8Mailing List, Third Party Advisory
- http://examples.sencha.com/extjs/6.6.0/release-notes.htmlRelease Notes, Vendor Advisory
- http://seclists.org/fulldisclosure/2018/Jul/8Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-8046?
How severe is CVE-2018-8046?
How do I fix CVE-2018-8046?
Are you affected by CVE-2018-8046?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST