CVE-2023-41049

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@dcl/single-sign-on-client

Identifiers

CVE-2023-41049, GHSA-vp4f-wxgw-7x8x

Package Slug

npm/@dcl/single-sign-on-client

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the init function.

Affected Versions

All versions before 0.1.0

Solution

Upgrade to version 0.1.0 or above.

Last Modified

2023-09-05

source