SCA: security update for svelecte (GHSA-7h45-grc5-89wq)

medium Tenable Cloud Security Plugin ID 412071

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Svelecte is a flexible autocomplete/select component written in Svelte. Svelecte item names are rendered
as raw HTML with no escaping. This allows the injection of arbitrary HTML into the Svelecte dropdown. This
can be exploited to execute arbitrary JavaScript whenever a Svelecte dropdown is opened. Item names given
to Svelecte appear to be directly rendered as HTML by the default item renderer. This means that any HTML
tags in the name are rendered as HTML elements not as text. Note that the custom item renderer shown in
https://mskocik.github.io/svelecte/#item-rendering is also vulnerable to the same exploit. Any site that
uses Svelecte with dynamically created items either from an external source or from user-created content
could be vulnerable to an XSS attack (execution of untrusted JavaScript), clickjacking or any other attack
that can be performed with arbitrary HTML injection. The actual impact of this vulnerability for a
specific application depends on how trustworthy the sources that provide Svelecte items are and the steps
that the application has taken to mitigate XSS attacks. XSS attacks using this vulnerability are mostly
mitigated by a Content Security Policy that blocks inline JavaScript. This issue has been addressed in
version 3.16.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
(CVE-2023-38687)

See Also

https://github.com/advisories/GHSA-7h45-grc5-89wq

Plugin Details

Severity: Medium

ID: 412071

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-38687

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/14/2023

Vulnerability Publication Date: 8/14/2023

Reference Information

CVE: CVE-2023-38687

cwe: CWE-79