pym.js CSRF Vulnerability

Severity:: High

Description

NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross Site Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function.

https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 can result in Arbitrary javascript code execution.

Recommendation

Update the pym.js package to the latest compatible version. Followings are version details:

Affected version(s): >= 0.4.2, <= 1.3.1
Patched version(s): 1.3.2

References

GHSA-82gw-pqf7-q3j2
blog.apps.npr.org
CVE-2018-1000086
CWE-352
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Simditor XSS Vulnerability - CVE-2018-6464
Cross-Site Request Forgery (CSRF) in Auth0 - CVE-2018-6874
XSS vulnerability that affects bootstrap (GHSA-3mgp-fx93-9xv5) - CVE-2018-20676
XSS vulnerability that affects bootstrap - CVE-2018-20676

Tags:: npm; pym.js

Anything's wrong? Let us know Last updated on September 11, 2023