CVE-2022-0437 Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
This is a serious issue that allows an attacker to execute arbitrary code on the host user’s browser. Before upgrading to npm@6.3.14, ensure you have blocked all types of cross-site scripting in your project. To do this, you can either use the X-XSS-Protection header in your HTTP requests, or you can use the Content-Security-Policy header to specify what kind of content you will allow. For example, you can set these headers in your requests to prevent script injections: X-XSS-Protection: 1; mode=block X-Content-Security-Policy: script-src 'self' 'nonce' 'nonce'; report-uri https://npm.hackerone.com/Report
CVE-2022-0438
This is a serious issue that allows an attacker to execute arbitrary code on the host user’s browser. Before upgrading to npm@5.6.0, ensure you have blocked all types of cross-site scripting in your project. To do this, you can either use the X-XSS-Protection header in your HTTP requests, or you can use the Content-Security-Policy header to specify what kind of content you will allow. For example, you can set these headers in your requests to prevent script injections: X-XSS-Protection: 1; mode=block X-Content-Security-Policy: script-src 'self' 'nonce' 'nonce'; report-uri https://npm.hackerone.com/Report
Timeline
Published on: 02/05/2022 02:15:00 UTC
Last modified on: 02/10/2022 13:59:00 UTC