CVE-2018-1000086

Published: Mar 13, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later.

Affected (1)

Products: Npr: Pym.js

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Npr Pym.js	From 0.4.2 to 1.3.1

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

http://blog.apps.npr.org/2018/02/15/pym-security-vulnerability.html

Source: cve@mitre.org

Vendor Advisory

https://github.com/nprapps/pym.js

Source: cve@mitre.org

Product

https://github.com/nprapps/pym.js/issues/170

Source: cve@mitre.org

Third Party Advisory

http://blog.apps.npr.org/2018/02/15/pym-security-vulnerability.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/nprapps/pym.js

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://github.com/nprapps/pym.js/issues/170

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.