DOM-based XSS in gmail-js

Severity:: High

Description

Affected versions of gmail-js are vulnerable to cross-site scripting in the tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post functions, which pass user input directly into the Function constructor.

Recommendation

Update the gmail-js package to the latest compatible version. Followings are version details:

Affected version(s): <= 0.6.4
Patched version(s): 0.6.5

References

GHSA-c7pp-g2v2-2766
www.npmjs.com
CVE-2016-1000228
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - CVE-2025-53892
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 4 - CVE-2025-53892
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 3 - CVE-2025-53892
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes (GHSA-x8qp-wqqm-57ph) 2 - CVE-2025-53892

Tags:: npm; gmail-js

Anything's wrong? Let us know Last updated on January 09, 2023