CVE-2020-7741
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-7741
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7741.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-7741
- Aliases
- Related
- Published
- 2020-10-06T15:15:15.757Z
- Modified
- 2025-11-14T11:09:39.234168Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H CVSS Calculator
- Summary
- [none]
- Details
-
This affects the package hellojs before 1.18.6. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauthredirect, such as javascript:alert(1).
- References
Affected packages
Git / github.com/mrswitch/hello.js
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mrswitch/hello.js
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.2.12
1.*
1.10.1
1.9.4
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v1.*
v1.0.0
v1.0.1
v1.1.1
v1.1.3
v1.1.4
v1.1.5
v1.10.0
v1.11.0
v1.11.1
v1.11.2
v1.12.0
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.14.0
v1.14.1
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.17.0
v1.17.1
v1.18.0
v1.18.1
v1.18.2
v1.18.3
v1.18.4
v1.2.0
v1.2.1
v1.2.2
v1.2.4
v1.2.5
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.4
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9