CVE-2023-41049: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the init function.
References
- github.com/advisories/GHSA-vp4f-wxgw-7x8x
- github.com/decentraland/single-sign-on-client/commit/bd20ea9533d0cda30809d929db85b1b76cef855a
- github.com/decentraland/single-sign-on-client/pull/2
- github.com/decentraland/single-sign-on-client/security/advisories/GHSA-vp4f-wxgw-7x8x
- nvd.nist.gov/vuln/detail/CVE-2023-41049
Code Behaviors & Features
Detect and mitigate CVE-2023-41049 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →