CVE-2020-7741

Cross-site Scripting in npm/hellojs

Identifiers

CVE-2020-7741

Package Slug

npm/hellojs

Vulnerability

Cross-site Scripting

Description

This affects the package hellojs. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).

Affected Versions

All versions before 1.18.6

Solution

Upgrade to version 1.18.6 or above.

Last Modified

2020-10-22

source