GHSA-7jh9-6cpf-h4m7

Suggest an improvement
Source
https://github.com/advisories/GHSA-7jh9-6cpf-h4m7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-7jh9-6cpf-h4m7/GHSA-7jh9-6cpf-h4m7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7jh9-6cpf-h4m7
Aliases
Published
2021-01-13T19:07:01Z
Modified
2025-01-14T08:57:09.156687Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H CVSS Calculator
Summary
XSS in hello.js
Details

This affects the package hello.js before 1.18.6. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauthredirect, such as javascript:alert(1).

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2021-01-13T19:06:37Z",
    "nvd_published_at": "2020-10-06T15:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL"
}
References

Affected packages

npm / hellojs

Package

Name
hellojs
View open source insights on deps.dev
Purl
pkg:npm/hellojs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.18.6