CVE-2020-8176

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@shopify/koa-shopify-auth

Identifiers

GHSA-jqh7-w5pr-cr56, CVE-2020-8176

Package Slug

npm/@shopify/koa-shopify-auth

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the shop parameter on the /shopify/auth/enable_cookies endpoint.

Affected Versions

All versions starting from 3.1.61 up to 3.1.62

Solution

Upgrade to version 3.1.63 or above.

Last Modified

2022-09-12

source