Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpxaDctdzVwci1jcjU2
Cross-site scripting in @shopify/koa-shopify-auth
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the shop parameter on the /shopify/auth/enable_cookies endpoint.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpxaDctdzVwci1jcjU2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-jqh7-w5pr-cr56, CVE-2020-8176
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8176
- https://github.com/Shopify/quilt/pull/1455
- https://hackerone.com/reports/881409
- https://github.com/advisories/GHSA-jqh7-w5pr-cr56
Blast Radius: 16.4
Affected Packages
npm:@shopify/koa-shopify-auth
Dependent packages: 9Dependent repositories: 484
Downloads: 9,658 last month
Affected Version Ranges: >= 3.1.61, <= 3.1.62
Fixed in: 3.1.63
All affected versions: 3.1.61, 3.1.62
All unaffected versions: 1.0.0, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.1.36, 3.1.37, 3.1.38, 3.1.39, 3.1.40, 3.1.41, 3.1.42, 3.1.43, 3.1.44, 3.1.45, 3.1.46, 3.1.47, 3.1.48, 3.1.49, 3.1.50, 3.1.51, 3.1.52, 3.1.53, 3.1.54, 3.1.55, 3.1.56, 3.1.57, 3.1.58, 3.1.59, 3.1.60, 3.1.63, 3.1.64, 3.1.65, 3.1.66, 3.1.67, 3.1.68, 3.1.69, 3.1.70, 3.1.72, 3.2.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 5.0.0, 5.0.2, 5.0.3