Description
Affected versions of gmail-js are vulnerable to cross-site scripting in the tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post functions, which pass user input directly into the Function constructor.
Recommendation
Update the gmail-js package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.6.4
- Patched version(s): 0.6.5
References
Related Issues
- Denial of Service in jquery - CVE-2016-10707
- gifplayer XSS vulnerability - CVE-2025-31128
- Prototype pollution in gsap - CVE-2020-28478
- pym.js CSRF Vulnerability - CVE-2018-1000086
- Tags:
- npm
- gmail-js
Anything's wrong? Let us know Last updated on January 09, 2023