Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTgyZ3ctcHFmNy1xM2oy
pym.js CSRF Vulnerability
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross Site Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function.
https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 can result in Arbitrary javascript code execution. This attack appears to be exploitable if the Attacker gains full javascript access to pages with Pym.js embeds, or when user visits an attacker-crafted page. This vulnerability appears to have been fixed in versions 1.3.2 and later.
Permalink: https://github.com/advisories/GHSA-82gw-pqf7-q3j2JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTgyZ3ctcHFmNy1xM2oy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 6 years ago
Updated: 8 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-82gw-pqf7-q3j2, CVE-2018-1000086
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000086
- https://github.com/nprapps/pym.js/issues/170
- https://github.com/advisories/GHSA-82gw-pqf7-q3j2
- https://github.com/nprapps/pym.js
- http://blog.apps.npr.org/2018/02/15/pym-security-vulnerability.html
- https://github.com/nprapps/pym.js/commit/c3552a6cf2532664c17bd6a318fb3cf8e4cf2f97
Blast Radius: 16.6
Affected Packages
npm:pym.js
Dependent packages: 21Dependent repositories: 77
Downloads: 25,345 last month
Affected Version Ranges: >= 0.4.2, <= 1.3.1
Fixed in: 1.3.2
All affected versions: 0.4.3, 0.4.5, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1
All unaffected versions: 0.4.0, 0.4.1, 1.3.2