gmail-js@0.5.2 vulnerabilities

JavaScript API for Gmail (useful for chrome extensions)

Direct Vulnerabilities

Known vulnerabilities in the gmail-js package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Cross-site Scripting (XSS)

gmail-js is a client side library for interacting with the Gmail API.

As part of its execution, the library dynamically creates functions out of response data, loaded into a new Function(data) call, and executes the function. The response data read is not encoded and may include user content (e.g. from the emails themselves), thus exposing a DOM-Based Cross-Site Scripting (DOMXSS) vulnerability.

At least three functions perform this vulnerable flow: tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post.

How to fix Cross-site Scripting (XSS)?

Upgrade gmail-js to version 0.6.5 or higher.

<0.6.5