CVE-2020-8176

Опубликовано: 02 июл. 2020

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the shop parameter on the /shopify/auth/enable_cookies endpoint.

Ссылки

https://github.com/Shopify/quilt/pull/1455
Exploit
Patch
Third Party Advisory
https://hackerone.com/reports/881409
Permissions Required
https://github.com/Shopify/quilt/pull/1455
Exploit
Patch
Third Party Advisory
https://hackerone.com/reports/881409
Permissions Required

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:shopify:koa-shopify-auth:3.1.61:*:*:*:*:*:*:*

cpe:2.3:a:shopify:koa-shopify-auth:3.1.62:*:*:*:*:*:*:*

EPSS

Процентиль: 40%

0.00187

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-jqh7-w5pr-cr56