CVE-2020-7741: Cross-site Scripting

October 6, 2020 (updated October 19, 2020)

This affects the package hellojs. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).

References

nvd.nist.gov/vuln/detail/CVE-2020-7741

Detect and mitigate CVE-2020-7741 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →