Lucene search

GoogleOSV:GHSA-VP4F-WXGW-7X8X

HistorySep 04, 2023 - 4:36 p.m.

Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

2023-09-0416:36:27

Google

osv.dev

vulnerability

input validation

javascript prefix

patch

version

user input

sanitize

init function

sso

single sign on

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Impact

Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix

    SSO.init('javascript:alert("javascript successfully injected")')

Patches

This vulnerability was patched on version 0.1.0

Workarounds

This vulnerability can be prevented if user input correctly sanitized or there is no user input pass to the init function

CPENameOperatorVersion
@dcl/single-sign-on-clientlt0.1.0

CPE	Name	Operator	Version
	@dcl/single-sign-on-client	lt	0.1.0

References

github.com/decentraland/single-sign-on-client

github.com/decentraland/single-sign-on-client/commit/bd20ea9533d0cda30809d929db85b1b76cef855a

github.com/decentraland/single-sign-on-client/pull/2

github.com/decentraland/single-sign-on-client/security/advisories/GHSA-vp4f-wxgw-7x8x

nvd.nist.gov/vuln/detail/CVE-2023-41049

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for OSV:GHSA-VP4F-WXGW-7X8X