15 matches found
EUVD-2021-0496
Malware in sbrugna...
Prototype Pollution
hellojs is vulnerable to Prototype Pollution. The vulnerability is due to a lack of sanitization of the proto and constructor keys during object initialization, which allows an attacker to overwrite the base object, resulting in the execution of arbitrary code via the hello.utils.extend function...
kinvey-angular-sdk (>=3.4.0 <=3.5.3), kinvey-angular2-sdk (>=3.4.1 <=3.5.2) +6 more potentially affected by CVE-2021-26505 via hellojs (>=1.13.1 <=1.14.1)
hellojs NPM version =1.13.1, =3.4.0, =3.4.1, =3.4.1, =3.4.0, =3.4.1, =3.4.0, =3.4.0, =3.4.1, =3.5.2 Source cves: CVE-2021-26505 Source advisory: OSV:GHSA-G3VF-47FV-8F3C...
hellojs security vulnerability
hellojs is a JavaScript-written client-side software development kit for user Oauth authentication for individual developers. A security vulnerability exists in MrSwitch hello.js version 1.18.6, which stems from the presence of a prototype contamination vulnerability. An attacker can exploit the...
Prototype Pollution
hellojs is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into hello.utils.extend construct prototypes and modify attributes such as proto, constructor and prototype...
kinvey-angular-sdk (>=3.4.0 <=3.5.3), kinvey-angular2-sdk (>=3.4.1 <=3.5.2) +6 more potentially affected by CVE-2020-7741 via hellojs (>=1.13.1 <=1.14.1)
hellojs NPM version =1.13.1, =3.4.0, =3.4.1, =3.4.1, =3.4.0, =3.4.1, =3.4.0, =3.4.0, =3.4.1, =3.5.2 Source cves: CVE-2020-7741 Source advisory: OSV:GHSA-7JH9-6CPF-H4M7...
Cross-site Scripting (XSS)
hellojs is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript code via the oauthredirect in the URL...
CVE-2020-7741
This affects the package hellojs before 1.18.6. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauthredirect, such as javascript:alert1...
CVE-2020-7741
This affects the package hellojs before 1.18.6. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauthredirect, such as javascript:alert1...
Design/Logic Flaw
This affects the package hellojs before 1.18.6. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauthredirect, such as javascript:alert1...
CVE-2020-7741
CVE-2020-7741 affects the package hellojs (hello.js) before version 1.18.6. The vulnerability arises because the code reads the url parameter oauth_redirect and assigns it to location.assign without validation or sanitisation, allowing an attacker to inject an XSS payload (e.g., javascript:alert(...
CVE-2020-7741 Cross-site Scripting (XSS)
This affects the package hellojs before 1.18.6. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauthredirect, such as javascript:alert1...
kinvey-angular-sdk (>=3.4.0 <=3.5.3), kinvey-angular2-sdk (>=3.4.1 <=3.5.2) +6 more potentially affected by CVE-2020-7741 via hellojs (>=1.13.1 <=1.14.1)
hellojs NPM version =1.13.1, =3.4.0, =3.4.1, =3.4.1, =3.4.0, =3.4.1, =3.4.0, =3.4.0, =3.4.1, =3.5.2 Source cves: CVE-2020-7741 Source advisory: SNYK:JS-HELLOJS-1014546...
Open Redirection
hellojs is vulnerable to open redirection. Lack of validation of the pageuri field of the state parameter allows a remote attacker to perform phishing attacks on users by redirecting a user to a malicious web page that looks exactly like the original site, enticing users to log-in to the fake...
Cross-Site Scripting (XSS)
hellojs is vulnerable to cross site scripting XSS. The vulnerability exists as the values of state.pageuri is not sanitized, allowing arbitrary javascript to be executed when rendered...