Description

NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later.

Remediation

References

http://blog.apps.npr.org/2018/02/15/pym-security-vulnerability.html

https://github.com/nprapps/pym.js

https://github.com/nprapps/pym.js/issues/170

Related Vulnerabilities

CVE-2023-37955 Vulnerability in maven package org.jenkins-ci.plugins:test-results-aggregator

CVE-2021-30179 Vulnerability in maven package org.apache.dubbo:dubbo

CVE-2022-45207 Vulnerability in maven package org.jeecgframework.boot:jeecg-module-system

CVE-2021-21122 Vulnerability in npm package electron

CVE-2022-38179 Vulnerability in maven package io.ktor:ktor-utils

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Product Third Party Advisory