Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNGpnLTV2ODktOXY2Ms4AAvvz
Withdrawn: Octocat.js vulnerable to code injection
Withdrawn
This advisory has been withdrawn because it is a test.
Original Description
Impact
Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.
Patches
This vulnerability was fixed in version 1.2 of octocat.js
Workarounds
Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.
References
To render the file correctly, see documentation at readme.md
For more information
If you have any questions or comments about this advisory:
- Open an issue in the octo.js repository
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNGpnLTV2ODktOXY2Ms4AAvvz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago Widthdrawn: over 1 year ago
Identifiers: GHSA-r4jg-5v89-9v62, CVE-2022-39390
References:
- https://github.com/octocademy/octocat.js/security/advisories/GHSA-r4jg-5v89-9v62
- https://nvd.nist.gov/vuln/detail/CVE-2022-39390
- https://github.com/advisories/GHSA-r4jg-5v89-9v62
Blast Radius: 0.0
Affected Packages
npm:octocat.js
Dependent packages: 1Dependent repositories: 1
Downloads: 1 last month
Affected Version Ranges: < 1.2
Fixed in: 1.2
All affected versions: 1.0.0
All unaffected versions: