CVE-2022-0437 Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.

CVE-2022-0437 Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.

This is a serious issue that allows an attacker to execute arbitrary code on the host user’s browser. Before upgrading to npm@6.3.14, ensure you have blocked all types of cross-site scripting in your project. To do this, you can either use the X-XSS-Protection header in your HTTP requests, or you can use the Content-Security-Policy header to specify what kind of content you will allow. For example, you can set these headers in your requests to prevent script injections: X-XSS-Protection: 1; mode=block X-Content-Security-Policy: script-src 'self' 'nonce' 'nonce'; report-uri https://npm.hackerone.com/Report

CVE-2022-0438

This is a serious issue that allows an attacker to execute arbitrary code on the host user’s browser. Before upgrading to npm@5.6.0, ensure you have blocked all types of cross-site scripting in your project. To do this, you can either use the X-XSS-Protection header in your HTTP requests, or you can use the Content-Security-Policy header to specify what kind of content you will allow. For example, you can set these headers in your requests to prevent script injections: X-XSS-Protection: 1; mode=block X-Content-Security-Policy: script-src 'self' 'nonce' 'nonce'; report-uri https://npm.hackerone.com/Report

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe