Headline
GHSA-vp4f-wxgw-7x8x: Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client
Impact
Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix
SSO.init('javascript:alert("javascript successfully injected")')
Patches
This vulnerability was patched on version 0.1.0
Workarounds
This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init function
Package
npm @dcl/single-sign-on-client (npm)
Affected versions
< 0.1.0
Patched versions
0.1.0
Description
Impact
Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix
SSO.init('javascript:alert("javascript successfully injected")')
Patches
This vulnerability was patched on version 0.1.0
Workarounds
This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init function
References
- GHSA-vp4f-wxgw-7x8x
- https://nvd.nist.gov/vuln/detail/CVE-2023-41049
- decentraland/single-sign-on-client#2
- decentraland/single-sign-on-client@bd20ea9
2fd published to decentraland/single-sign-on-client
Aug 31, 2023
Published to the GitHub Advisory Database
Sep 4, 2023
Reviewed
Sep 4, 2023
Last updated
Sep 4, 2023
Related news
@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the `init` function allows arbitrary javascript to be executed using the `javascript:` prefix. This vulnerability has been patched on version `0.1.0`. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the `init` function.