High severityNVD Advisory· Published Sep 1, 2023· Updated Oct 1, 2024
Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client
CVE-2023-41049
Description
@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the init function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@dcl/single-sign-on-clientnpm | < 0.1.0 | 0.1.0 |
Affected products
2- decentraland/single-sign-on-clientv5Range: < 0.1.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-vp4f-wxgw-7x8xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41049ghsaADVISORY
- github.com/decentraland/single-sign-on-client/commit/bd20ea9533d0cda30809d929db85b1b76cef855aghsax_refsource_MISCWEB
- github.com/decentraland/single-sign-on-client/pull/2ghsaWEB
- github.com/decentraland/single-sign-on-client/security/advisories/GHSA-vp4f-wxgw-7x8xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.