pym.js CSRF Vulnerability

Severity:: High

Description

NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross Site Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function.

https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 can result in Arbitrary javascript code execution.

Recommendation

Update the pym.js package to the latest compatible version. Followings are version details:

Affected version(s): >= 0.4.2, <= 1.3.1
Patched version(s): 1.3.2

References

GHSA-82gw-pqf7-q3j2
blog.apps.npr.org
CVE-2018-1000086
CWE-352
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Denial of Service in jquery - CVE-2016-10707
gifplayer XSS vulnerability - CVE-2025-31128
Prototype pollution in gsap - CVE-2020-28478
Cross-site Scripting in vmd - CVE-2021-33041

Tags:: npm; pym.js

Anything's wrong? Let us know Last updated on September 11, 2023