CVE-2020-8176: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 17, 2021

A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the shop parameter on the /shopify/auth/enable_cookies endpoint.

References

github.com/Shopify/quilt/pull/1455
github.com/advisories/GHSA-jqh7-w5pr-cr56
hackerone.com/reports/881409
nvd.nist.gov/vuln/detail/CVE-2020-8176

Detect and mitigate CVE-2020-8176 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →