Cross-site scripting in @shopify/koa-shopify-auth
Moderate severity
GitHub Reviewed
Published
May 17, 2021
to the GitHub Advisory Database
•
Updated Jan 29, 2023
Package
Affected versions
>= 3.1.61, <= 3.1.62
Patched versions
3.1.63
Description
Published by the National Vulnerability Database
Jul 2, 2020
Reviewed
May 11, 2021
Published to the GitHub Advisory Database
May 17, 2021
Last updated
Jan 29, 2023
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the
shop
parameter on the/shopify/auth/enable_cookies
endpoint.References