CVE-2016-1000228 — DOM-based XSS in gmail-js

Description

Affected versions of `gmail-js` are vulnerable to cross-site scripting in the `tools.parse_response`, `helper.get.visible_emails_post`, and `helper.get.email_data_post` functions, which pass user input directly into the Function constructor. ## Recommendation Update to version 0.6.5 or later.

How to fix CVE-2016-1000228

To remediate CVE-2016-1000228, upgrade the affected package to a fixed version below.

npm/gmail-js—upgrade to 0.6.5 or later

Is CVE-2016-1000228 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2016-1000228.

Affected packages (1)

from 0, < 0.6.5

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-1000228
PATCHgithub.com/KartikTalwar/gmail.js
WEBgithub.com/KartikTalwar/gmail.js/commit/a83436f499f9c01b04280af945a5a81137b6baf1
WEBgithub.com/KartikTalwar/gmail.js/issues/281
WEB