Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIzMngtamh3NS1nNDhw
Cross-Site Scripting in eco
All versions of eco are vulnerable to Cross-Site Scripting (XSS). The package's default __escape implementation fails to escape single quotes, which may allow attackers to execute arbitrary JavaScript on the victim's browser.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-r32x-jhw5-g48pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIzMngtamh3NS1nNDhw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-r32x-jhw5-g48p
References:
- https://github.com/sstephenson/eco/pull/67
- https://www.npmjs.com/advisories/1024
- https://github.com/advisories/GHSA-r32x-jhw5-g48p
Blast Radius: 0.0
Affected Packages
npm:eco
Dependent packages: 200Dependent repositories: 28,282
Downloads: 11,263 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3