CVE-2016-1000228: DOM-based XSS
Three functions exposed by the Gmail.js API (not the Google Gmail API) are vulnerable to DOM-based cross site scripting (DOMXSS). The three functions are tools.parse_response
, helper.get.visible_emails_post
, and helper.get.email_data_post
. Each one of these functions calls new Function()
with user data passed as the argument./n/nThis vulnerability is being disclosed before a public patched version is available because the issue was reported in a public Github issue.
References
Detect and mitigate CVE-2016-1000228 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →