MrSwitch/hello.js

Releases115

Frequency1 month 1 week

Last Release 5 months ago

Stars4.63K

A Javascript RESTFUL API library for connecting with OAuth2 services, such as Google+ API, Facebook Graph and Windows Live Connect

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-26505 ↗	Aug 11, 2023Friday, 11 August 2023, 14:15	9.8 CRITICAL	—
Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function.
CVE-2020-7741 ↗	Oct 6, 2020Tuesday, 6 October 2020, 15:15	9.9 CRITICAL	7.5 HIGH
This affects the package hellojs before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).