MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIzMngtamh3NS1nNDhw

High

Permalink JSON

Cross-Site Scripting in eco

Affected Packages	Affected Versions	Fixed Versions
npm:eco	>= 0.0.0	No known fixed version
200 Dependent packages 28,282 Dependent repositories 14,878 Downloads last month Affected Version Ranges All affected versions 1.0.0, 1.0.1, 1.0.2, 1.0.3

All versions of eco are vulnerable to Cross-Site Scripting (XSS). The package's default __escape implementation fails to escape single quotes, which may allow attackers to execute arbitrary JavaScript on the victim's browser.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References:

https://github.com/sstephenson/eco/pull/67
https://www.npmjs.com/advisories/1024
https://github.com/advisories/GHSA-r32x-jhw5-g48p

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIzMngtamh3NS1nNDhw

Cross-Site Scripting in eco

Affected Version Ranges

All affected versions

Recommendation

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API