CVE-2020-7741
npm/hellojs
Cross-site Scripting
This affects the package hellojs. The code get the param oauth_redirect
from url and pass it to location.assign
without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect
, such as javascript:alert(1)
.
All versions before 1.18.6
Upgrade to version 1.18.6 or above.
2020-10-22
source |