CVE-2020-8176
Cross-site scripting in @shopify/koa-shopify-auth
6.1
MEDIUM
CVSS 3.1
EPSS 0.19%
Description
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint.
How to fix CVE-2020-8176
To remediate CVE-2020-8176, upgrade the affected package to a fixed version below.
- npm/@shopify/koa-shopify-auth—upgrade to 3.1.63 or later
Is CVE-2020-8176 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.1.61, < 3.1.63
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |