Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| stage-js(npm) | 0 | N/A | N/A |
CVSS Metrics
