Description
When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period.
Recommendation
Update the @digitalbazaar/zcap package to the latest compatible version. Followings are version details:
- Affected version(s): < 9.0.1
- Patched version(s): 9.0.1
References
Related Issues
- Prebid-universal-creative latest on npm briefly compromised - CVE-2025-59039
- Potential XSS vulnerability in jQuery (GHSA-gxr4-xjj5-5px2) - CVE-2020-11022
- Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags - CVE-2021-33295
- Joplin Vulnerable to Cross-site Scripting in Note Content - CVE-2018-1000534
- Tags:
- npm
- @digitalbazaar/zcap
Anything's wrong? Let us know Last updated on April 21, 2024