{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T16:30:09.480","vulnerabilities":[{"cve":{"id":"CVE-2023-41049","sourceIdentifier":"security-advisories@github.com","published":"2023-09-01T20:15:07.873","lastModified":"2024-11-21T08:20:27.487","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the `init` function allows arbitrary javascript to be executed using  the `javascript:` prefix. This vulnerability has been patched on version `0.1.0`. Users are advised to upgrade. Users unable to upgrade should limit untrusted user input to the `init` function."},{"lang":"es","value":"@dcl/single-sign-on-client es una biblioteca npm de código abierto que gestiona los flujos de autenticación de inicio de sesión único. Una validación de entrada incorrecta en la función 'init' permite la ejecución de javascript arbitrario utilizando el prefijo 'javascript:'. Esta vulnerabilidad ha sido parcheada en la versión '0.1.0'. Se aconseja a los usuarios que actualicen. Los usuarios que no puedan actualizar deberían limitar la entrada de usuario no confiable a la función 'init'."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:decentraland:single_sign_on_client:*:*:*:*:*:node.js:*:*","versionEndExcluding":"0.1.0","matchCriteriaId":"73FD9007-FDA7-4B16-AF46-F8D119264125"}]}]}],"references":[{"url":"https://github.com/decentraland/single-sign-on-client/commit/bd20ea9533d0cda30809d929db85b1b76cef855a","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/decentraland/single-sign-on-client/security/advisories/GHSA-vp4f-wxgw-7x8x","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/decentraland/single-sign-on-client/commit/bd20ea9533d0cda30809d929db85b1b76cef855a","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/decentraland/single-sign-on-client/security/advisories/GHSA-vp4f-wxgw-7x8x","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}