npm package
hellojs
pkg:npm/hellojs
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-26505 | — | < 1.18.8 | 1.18.8 | Aug 11, 2023 | Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function. | ||
| CVE-2020-7741 | — | < 1.18.6 | 1.18.6 | Oct 6, 2020 | This affects the package hellojs before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1). |
- CVE-2021-26505Aug 11, 2023affected < 1.18.8fixed 1.18.8
Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function.
- CVE-2020-7741Oct 6, 2020affected < 1.18.6fixed 1.18.6
This affects the package hellojs before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).