CVE-2022-39390 – octocat.js

Package

Manager: npm
Name: octocat.js
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: N/A

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Withdrawn: Octocat.js vulnerable to code injection ## Withdrawn This advisory has been withdrawn because it is a test. ## Original Description ### Impact Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. ### Patches This vulnerability was fixed in version 1.2 of octocat.js ### Workarounds Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk. ### References To render the file correctly, see documentation at `readme.md` ### For more information If you have any questions or comments about this advisory: * Open an issue in [the octo.js repository](http://github.com/octocademy/octocat.js/issues)

Metadata

Created: 2022-11-08T20:48:49Z
Modified: 2022-11-09T22:35:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-r4jg-5v89-9v62/GHSA-r4jg-5v89-9v62.json
CWE IDs: ["CWE-74", "CWE-94"]
Alternative ID: GHSA-r4jg-5v89-9v62
Finding: N/A
Auto approve: 0