CVE-2018-1000086

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1000086

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000086.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1000086

Aliases

GHSA-82gw-pqf7-q3j2

Published

2018-03-13T15:29:01Z

Modified

2025-07-29T07:51:33.341254Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later.

References

Affected packages

Git / github.com/nprapps/pym.js

Affected ranges

Type: GIT
Repo: https://github.com/nprapps/pym.js
Events: Introduced

21d93328a638b4c618858cd06b62badfd5f41eea

Last affected

4b9016c30a930608e68dcd831176e1d089fab55b

Affected versions

0.*

0.4.2

0.4.3

0.4.4

0.4.5

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1