Description
When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period.
Recommendation
Update the @digitalbazaar/zcap package to the latest compatible version. Followings are version details:
- Affected version(s): < 9.0.1
- Patched version(s): 9.0.1
References
Related Issues
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- Trix has a cross-site Scripting vulnerability on copy & paste - CVE-2024-43368
- Svelte has a potential mXSS vulnerability due to improper HTML escaping - CVE-2024-45047
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- Tags:
- npm
- @digitalbazaar/zcap
Anything's wrong? Let us know Last updated on April 21, 2024