Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vp4f-wxgw-7x8x: Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

Impact

Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix

    SSO.init('javascript:alert("javascript successfully injected")')

Patches

This vulnerability was patched on version 0.1.0

Workarounds

This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init function

ghsa
#vulnerability#nodejs#git#java

Package

npm @dcl/single-sign-on-client (npm)

Affected versions

< 0.1.0

Patched versions

0.1.0

Description

Impact

Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix

SSO.init('javascript:alert("javascript successfully injected")')

Patches

This vulnerability was patched on version 0.1.0

Workarounds

This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init function

References

  • GHSA-vp4f-wxgw-7x8x
  • https://nvd.nist.gov/vuln/detail/CVE-2023-41049
  • decentraland/single-sign-on-client#2
  • decentraland/single-sign-on-client@bd20ea9

2fd published to decentraland/single-sign-on-client

Aug 31, 2023

Published to the GitHub Advisory Database

Sep 4, 2023

Reviewed

Sep 4, 2023

Last updated

Sep 4, 2023

Related news

CVE-2023-41049: Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the `init` function allows arbitrary javascript to be executed using the `javascript:` prefix. This vulnerability has been patched on version `0.1.0`. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the `init` function.

ghsa: Latest News

GHSA-8gc2-vq6m-rwjw: Amazon Redshift Python Connector vulnerable to SQL Injection