Description
This affects the package hello.js before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).
Recommendation
Update the hellojs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.18.6
- Patched version(s): 1.18.6
References
Related Issues
- Cross-site Scripting (XSS) in Eclipse Theia - CVE-2020-27224
- XSS in svg2png (NPM package) - CVE-2020-11887
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter - CVE-2020-19698
- Tags:
- npm
- hellojs
Anything's wrong? Let us know Last updated on September 12, 2023