Описание
Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client
Impact
Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix
Patches
This vulnerability was patched on version 0.1.0
Workarounds
This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init function
Ссылки
- https://github.com/decentraland/single-sign-on-client/security/advisories/GHSA-vp4f-wxgw-7x8x
- https://nvd.nist.gov/vuln/detail/CVE-2023-41049
- https://github.com/decentraland/single-sign-on-client/pull/2
- https://github.com/decentraland/single-sign-on-client/commit/bd20ea9533d0cda30809d929db85b1b76cef855a
Пакеты
@dcl/single-sign-on-client
< 0.1.0
0.1.0
Связанные уязвимости
@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the `init` function allows arbitrary javascript to be executed using the `javascript:` prefix. This vulnerability has been patched on version `0.1.0`. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the `init` function.