Ext JS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2018-8046 - Vulnerability Database

Ext JS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2018-8046

Medium
Reference: CVE-2018-8046
Title: Ext JS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks even when passed HTML-escaped data. This framework brings no built-in XSS protection so the developer has to ensure that data is correctly sanitized. However the getTip() method of Action Columns takes HTML-escaped data and un-escapes it. If the tooltip contains user-controlled data an attacker could exploit this to create a cross-site scripting attack even when developers took precautions and escaped data.