Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdqaDktNmNwZi1oNG03
XSS in hello.js
This affects the package hello.js before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdqaDktNmNwZi1oNG03
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 9.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
Identifiers: GHSA-7jh9-6cpf-h4m7, CVE-2020-7741
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7741
- https://github.com/MrSwitch/hello.js/commit/d6f5137f30de6e0ef7048191ee6ae575fdc2f669
- https://github.com/MrSwitch/hello.js/blob/3b79ec93781b3d7b9c0b56f598e060301d1f3e73/dist/hello.all.js%23L1545
- https://snyk.io/vuln/SNYK-JS-HELLOJS-1014546
- https://github.com/advisories/GHSA-7jh9-6cpf-h4m7
Blast Radius: 24.7
Affected Packages
npm:hellojs
Dependent packages: 28Dependent repositories: 315
Downloads: 24,057 last month
Affected Version Ranges: < 1.18.6
Fixed in: 1.18.6
All affected versions: 0.1.5, 0.1.6, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.5, 1.0.0, 1.1.3, 1.3.2, 1.3.7, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.3, 1.7.4, 1.7.5, 1.8.2, 1.8.3, 1.8.4, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.16.0, 1.16.1, 1.17.1, 1.18.0, 1.18.1, 1.18.3, 1.18.4
All unaffected versions: 1.18.6, 1.18.8, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.20.0