CVE-2023-41049

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41049

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41049.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-41049

Aliases

GHSA-vp4f-wxgw-7x8x

Related

GHSA-vp4f-wxgw-7x8x

Published

2023-09-01T20:15:07Z

Modified

2025-01-08T15:11:11.300664Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the init function.

References

Affected packages

Git / github.com/decentraland/single-sign-on-client

Affected ranges

Type: GIT
Repo: https://github.com/decentraland/single-sign-on-client
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bd20ea9533d0cda30809d929db85b1b76cef855a

Fixed

bd20ea9533d0cda30809d929db85b1b76cef855a

Affected versions

0.*

0.0.1

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9