Lucene search
GitHub Advisory DatabaseGHSA-R4JG-5V89-9V62HistoryNov 08, 2022 - 8:48 p.m.
Withdrawn: Octocat.js vulnerable to code injection
2022-11-0820:48:49
CWE-74
CWE-94
GitHub Advisory Database
github.com
5
octocat.js
code injection
vulnerability
patched
version 1.2
image validation
security risk
html mitigation
Withdrawn
This advisory has been withdrawn because it is a test.
Original Description
Impact
Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.
Patches
This vulnerability was fixed in version 1.2 of octocat.js
Workarounds
Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.
References
To render the file correctly, see documentation at readme.md
For more information
If you have any questions or comments about this advisory:
- Open an issue in the octo.js repository
Affected configurations
Node
octocat.jsRange<1.2
| Vendor | Product | Version | CPE |
|---|---|---|---|
| * | octocat.js | * | cpe:2.3:a:*:octocat.js:*:*:*:*:*:*:*:* |
Related
osv
osv
Octocat.js vulnerable to code injection
2022-11-08 20:48:49
cvelist
cvelist
CVE-2022-39390
1976-01-01 00:00:00
nvd
nvd
CVE-2022-39390
2022-11-09 01:15:09
cve
cve
CVE-2022-39390
2022-11-09 01:15:09
Related for GHSA-R4JG-5V89-9V62