CVE-2023-41049 HIGH

CVE-2023-41049: Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

Vendor Decentraland
Product single-sign-on-client
Weakness CWE-79 · XSS
Published September 1, 2023
Last update October 1, 2024
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the `init` function allows arbitrary javascript to be executed using the `javascript:` prefix. This vulnerability has been patched on version `0.1.0`. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the `init` function.

Key dates

02Disclosure timeline

September 1, 2023 CVE published
October 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-31868 Apache Zeppelin: XSS vulnerability in the helium module CVE-2024-12508 Glofox Shortcodes <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-20530 Cisco Identity Services Engine Reflected Cross-Site Scripting Vulnerability CVE-2024-4203 Premium Addons for Elementor <= 4.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-9854 A Simple Multilanguage Plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting