Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cDRmLXd4Z3ctN3g4eM4AA1rC
Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client
Impact
Improper input validation in the init
function allows arbitrary javascript to be executed using the javascript:
prefix
SSO.init('javascript:alert("javascript successfully injected")')
Patches
This vulnerability was patched on version 0.1.0
Workarounds
This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init
function
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cDRmLXd4Z3ctN3g4eM4AA1rC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-vp4f-wxgw-7x8x, CVE-2023-41049
References:
- https://github.com/decentraland/single-sign-on-client/security/advisories/GHSA-vp4f-wxgw-7x8x
- https://nvd.nist.gov/vuln/detail/CVE-2023-41049
- https://github.com/decentraland/single-sign-on-client/pull/2
- https://github.com/decentraland/single-sign-on-client/commit/bd20ea9533d0cda30809d929db85b1b76cef855a
- https://github.com/advisories/GHSA-vp4f-wxgw-7x8x
Blast Radius: 3.6
Affected Packages
npm:@dcl/single-sign-on-client
Dependent packages: 2Dependent repositories: 3
Downloads: 1,524 last month
Affected Version Ranges: < 0.1.0
Fixed in: 0.1.0
All affected versions: 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14
All unaffected versions: 0.1.0, 2.0.0