Cross-Site Scripting vulnerability in @backstage/plugin-auth-backend
Description
Published by the National Vulnerability Database
Nov 26, 2021
Reviewed
Nov 29, 2021
Published to the GitHub Advisory Database
Dec 1, 2021
Last updated
Feb 1, 2023
Impact
This vulnerability allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities.
Patches
This is vulnerability is patched in version
0.4.9
of@backstage/plugin-auth-backend
.For more information
If you have any questions or comments about this advisory:
References