gmail-js@0.5.2 vulnerabilities

JavaScript API for Gmail (useful for chrome extensions)

  • latest version

    1.1.15

  • latest non vulnerable version

  • first published

    8 years ago

  • latest version published

    3 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the gmail-js package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Cross-site Scripting (XSS)

    gmail-js is a client side library for interacting with the Gmail API.

    As part of its execution, the library dynamically creates functions out of response data, loaded into a new Function(data) call, and executes the function. The response data read is not encoded and may include user content (e.g. from the emails themselves), thus exposing a DOM-Based Cross-Site Scripting (DOMXSS) vulnerability.

    At least three functions perform this vulnerable flow: tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post.

    How to fix Cross-site Scripting (XSS)?

    Upgrade gmail-js to version 0.6.5 or higher.

    <0.6.5