Source: libjs-spin.js Version: 1.2.8+dfsg2-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.2.8+dfsg2-1.1
Hi, The following vulnerability was published for libjs-spin.js. CVE-2026-3884[0]: | Versions of the package spin.js before 3.0.0 are vulnerable to | Cross-site Scripting (XSS) via the spin() function that allows a | creation of more than 1 alert for each 'target' element. An attacker | would need to set an arbitrary key-value pair on Object.prototype | through a crafted URL achieving a prototype pollution first, before | being able to execute arbitrary JavaScript in the context of the | user's browser. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-3884 https://www.cve.org/CVERecord?id=CVE-2026-3884 [1] https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079 [2] https://github.com/fgnass/spin.js/commit/1f63d33b74e5919e7fe24bf97eca96a346535f6f Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
