Lucene search

K
cve[email protected]CVE-2023-41049
HistorySep 01, 2023 - 8:15 p.m.

CVE-2023-41049

2023-09-0120:15:07
CWE-79
web.nvd.nist.gov
74
nvd
cve-2023-41049
single sign on
authentication
npm library
input validation
vulnerability
patch
upgrade
untrusted user input

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the init function.

Affected configurations

Vulners
NVD
Node
decentralandsingle_sign_on_clientRange<0.1.0
VendorProductVersionCPE
decentralandsingle_sign_on_client*cpe:2.3:a:decentraland:single_sign_on_client:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "decentraland",
    "product": "single-sign-on-client",
    "versions": [
      {
        "version": "< 0.1.0",
        "status": "affected"
      }
    ]
  }
]

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

Related for CVE-2023-41049