Source: leaflet
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for leaflet.
CVE-2025-69993[0]:
| Leaflet versions up to and including 1.9.4 are vulnerable to Cross-
| Site Scripting (XSS) via the bindPopup() method. This method renders
| user-supplied input as raw HTML without sanitization, allowing
| attackers to inject arbitrary JavaScript code through event handler
| attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim
| views an affected map popup, the malicious script executes in the
| context of the victim's browser session.
https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-69993
https://www.cve.org/CVERecord?id=CVE-2025-69993
Please adjust the affected versions in the BTS as needed.
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
