CVE-2016-1000228: DOM-based XSS

July 21, 2016

Three functions exposed by the Gmail.js API (not the Google Gmail API) are vulnerable to DOM-based cross site scripting (DOMXSS). The three functions are tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post. Each one of these functions calls new Function() with user data passed as the argument./n/nThis vulnerability is being disclosed before a public patched version is available because the issue was reported in a public Github issue.

References

github.com/KartikTalwar/gmail.js/issues/281
www.owasp.org/index.php/DOM_Based_XSS

Code Behaviors & Features

Detect and mitigate CVE-2016-1000228 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →