Cross-Site Scripting (XSS) medium risk #1856
Comments
|
This user is spamming GPT CVE's. |
|
it is not only chat gpt. We see all those issue in nexus scan. For you it might not be the problem. It easy for you to blame people for reporting. I am not working on all open source plugins. We are using a sub dependency. If you have any big problems. Or it does not make sense. Please ignore it. I did not send this message for you. |
You literally did, when you opened #516 in my repository and others. I mean this in the kindest way possible: this behavior isn't acceptable on GitHub. |
|
Ok. It is open source. Any one can put their opinion. If you don’t agree. That’s fine. You should nice with other people. |
|
Closing because, as listed, these "issues" are known and have been declined previously. The decision was made that it's not Koa's responsibility to guard against any input and/or output, it is the developers. As per previous two closed tickets, I'll close this one as well as no new data was provided (as I can understand). |
Describe the bug
The koa package is vulnerable to Cross-Site Scripting (XSS). The redirect function in response.js outputs an HTML hyperlink of the supplied URL in the body of the redirect response without sanitizing the URL. An attacker can exploit this by inputting a JavaScript URL that would then be executed.
The application is vulnerable by using this component and passing unvalidated input to the redirect() method. Additionally, the vulnerability can only be exploited if a user is running an older browser.
Root Cause
koa-2.15.3.tgzpackage/lib/response.js[0.0.2, )
#1250
#1289
The text was updated successfully, but these errors were encountered: