Headline

CVE-2023-41049: Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the init function.

1 year ago

CVE

Open in Source

#vulnerability #nodejs #java #auth

High

2fd published GHSA-vp4f-wxgw-7x8x

Aug 31, 2023

Package

npm @dcl/single-sign-on-client (npm)

Description

Impact

Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix

SSO.init('javascript:alert("javascript successfully injected")')

Patches

This vulnerability was patched on version 0.1.0

Workarounds

This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init function

Severity

CVSS base metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

### Impact Improper input validation in the `init` function allows arbitrary javascript to be executed using the `javascript:` prefix ```ts SSO.init('javascript:alert("javascript successfully injected")') ``` ### Patches This vulnerability was patched on version `0.1.0` ### Workarounds This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the `init` function

1 year ago

ghsa

Open in Source

#vulnerability #nodejs #git #java