Description
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross Site Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function.
https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 can result in Arbitrary javascript code execution.
Recommendation
Update the pym.js package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.4.2, <= 1.3.1
- Patched version(s): 1.3.2
References
Related Issues
- bootstrap Cross-site Scripting vulnerability - bootstrap-sass - GHSA-ph58-4vrj-w6hr - CVE-2018-20677
- bootstrap Cross-site Scripting vulnerability - bootstrap - CVE-2018-20677
- NASA Open MCT Cross Site Request Forgery (CSRF) vulnerability - CVE-2023-45884
- Simditor XSS Vulnerability - CVE-2018-6464
You might also like:
- Tags:
- npm
- pym.js
Anything's wrong? Let us know Last updated on September 11, 2023


