Description
This affects the package hello.js before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).
Recommendation
Update the hellojs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.18.6
- Patched version(s): 1.18.6
References
Related Issues
- MrSwitch hello.js vulnerable to prototype pollution - CVE-2021-26505
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- hellojs
Anything's wrong? Let us know Last updated on September 12, 2023