CVE-2023-41049

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41049

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41049.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-41049

Aliases

GHSA-vp4f-wxgw-7x8x

Published

2023-09-01T19:35:09Z

Modified

2025-10-30T20:22:27.611620Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

Details

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the init function.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/decentraland/single-sign-on-client

Affected ranges

Type: GIT
Repo: https://github.com/decentraland/single-sign-on-client
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bd20ea9533d0cda30809d929db85b1b76cef855a

Affected versions

0.*

0.0.1

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9