CVE-2020-7741 – CVE-2020-7741 is a Cross-Site Scripting (XSS) v... (How to Fix)

Q: What is the severity of CVE-2020-7741?

CVE-2020-7741 has a CVSS score of 9.9 (CRITICAL). CVE-2020-7741 is a Cross-Site Scripting (XSS) vulnerability in hellojs library versions before 1.18.6. Attackers can inject malicious JavaScript via the oauth_redirect parameter, which gets passed to location.assign without sanitization. Any application using vulnerable hellojs versions for OAuth authentication is affected.

📋 TL;DR

CVE-2020-7741 is a Cross-Site Scripting (XSS) vulnerability in hellojs library versions before 1.18.6. Attackers can inject malicious JavaScript via the oauth_redirect parameter, which gets passed to location.assign without sanitization. Any application using vulnerable hellojs versions for OAuth authentication is affected.

💻 Affected Systems

Products:

hellojs

Versions: All versions before 1.18.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application using hellojs for OAuth authentication with the vulnerable parameter handling.

📦 What is this software?

Hello.js by Hello.js Project

View all CVEs affecting Hello.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover, session hijacking, credential theft, and complete compromise of user accounts through malicious JavaScript execution in victim's browser context.

🟠

Likely Case

Attackers steal authentication tokens, session cookies, or redirect users to phishing sites, leading to account compromise.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation in place, though vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple XSS payload injection via URL parameter, no authentication required. Example: javascript:alert(1) in oauth_redirect parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.18.6

Vendor Advisory: https://github.com/MrSwitch/hello.js/commit/d6f5137f30de6e0ef7048191ee6ae575fdc2f669

Restart Required: No

Instructions:

1. Update hellojs package to version 1.18.6 or later. 2. Run npm update hellojs or yarn upgrade hellojs. 3. Test OAuth functionality after update.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject malicious oauth_redirect values containing javascript: or other dangerous protocols.

Content Security Policy

all

Implement strict CSP headers to prevent execution of inline scripts and restrict script sources.

Content-Security-Policy: script-src 'self' https://trusted.cdn.com;

🧯 If You Can't Patch

Implement WAF rules to block requests containing javascript: in oauth_redirect parameter
Disable or replace hellojs OAuth functionality with alternative authentication library

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/hellojs/package.json for version number. If version < 1.18.6, vulnerable.

Check Version:

npm list hellojs | grep hellojs or cat node_modules/hellojs/package.json | grep version

Verify Fix Applied:

After update, verify hellojs version is 1.18.6 or higher and test OAuth flow with malicious input to confirm rejection.

📡 Detection & Monitoring

Log Indicators:

Unusual oauth_redirect parameter values containing javascript: or data: protocols
Failed OAuth authentication attempts with suspicious parameters

Network Indicators:

HTTP requests with javascript: in oauth_redirect query parameter
Redirects to unexpected domains during OAuth flow

SIEM Query:

http.uri_query:*javascript* AND http.uri_query:*oauth_redirect*

📊 Metadata

CVE ID: CVE-2020-7741

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

CWE: CWE-79

Published: October 6, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/MrSwitch/hello.js/blob/3b79ec93781b3d7b9c0b56f598e060301d1f3e73/dist/hello.all.js%23L1545 Broken Link
https://github.com/MrSwitch/hello.js/commit/d6f5137f30de6e0ef7048191ee6ae575fdc2f669 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-HELLOJS-1014546 Third Party Advisory
https://github.com/MrSwitch/hello.js/blob/3b79ec93781b3d7b9c0b56f598e060301d1f3e73/dist/hello.all.js%23L1545 Broken Link
https://github.com/MrSwitch/hello.js/commit/d6f5137f30de6e0ef7048191ee6ae575fdc2f669 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-HELLOJS-1014546 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7741, you might also want to check these: