Описание
Withdrawn: Octocat.js vulnerable to code injection
Withdrawn
This advisory has been withdrawn because it is a test.
Original Description
Impact
Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.
Patches
This vulnerability was fixed in version 1.2 of octocat.js
Workarounds
Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.
References
To render the file correctly, see documentation at readme.md
For more information
If you have any questions or comments about this advisory:
- Open an issue in the octo.js repository
Пакеты
octocat.js
< 1.2
1.2
CVE ID
Дефекты
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-36534. Reason: This candidate is a reservation duplicate of CVE-2020-36534. Notes: All CVE users should reference CVE-2020-36534 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.