CVE Vulnerability

CVE-2022-29230

Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.

3.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/Shopify/hydrogen/pull/1272 Issue Tracking Patch
https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f Third Party Advisory
https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:*
Information

Published : 2022-05-18 09:15

Updated : 2022-06-01 07:55

NVD link : CVE-2022-29230

Mitre link : CVE-2022-29230

Products Affected
No products.
CWE
CWE-79