GHSA-cfxh-frx4-9gjg: 
JavaScript vulnerability analysis and mitigation

A Critical severity Cross-site Scripting (XSS) vulnerability was identified in @spscommerce/ds-react npm package, tracked as GHSA-cfxh-frx4-9gjg. The vulnerability affects versions >= 4.12.2 and < 7.17.4 of the package, and was published to the GitHub Advisory Database on December 15, 2023 (GitHub Advisory).

The vulnerability is classified as CWE-79 (Cross-site Scripting) and received a Critical severity rating. The issue specifically affects the SPS Select component when the options prop is populated with user input, potentially leading to both reflected and stored XSS attacks (GitHub Advisory).

The vulnerability allows for Cross-site Scripting (XSS) attacks when using the SPS Select component. If the options are stored in databases, it could result in stored XSS, potentially affecting all users who access the affected pages (GitHub Advisory).

The vulnerability has been patched in version 7.17.4 of the package. Users are strongly recommended to upgrade to this version or higher. While a workaround exists through manual sanitization of options (including those stored in databases), this approach is not recommended by the maintainers (GitHub Advisory).