Description

NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later.

Remediation

References

https://github.com/nprapps/pym.js/issues/170

https://github.com/nprapps/pym.js

http://blog.apps.npr.org/2018/02/15/pym-security-vulnerability.html

Related Vulnerabilities

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-management

CVE-2019-10749 Vulnerability in npm package sequelize

CVE-2022-39266 Vulnerability in npm package isolated-vm

CVE-2023-5571 Vulnerability in npm package @vrite/sdk

CVE-2016-10635 Vulnerability in npm package broccoli-closure

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Product Vendor Advisory