{"id":"CVE-2021-40927","details":"Cross-site scripting (XSS) vulnerability in callback.php in Spotify-for-Alfred 0.13.9 and below allows remote attackers to inject arbitrary web script or HTML via the error parameter.","modified":"2026-04-10T04:38:35.174952Z","published":"2021-10-01T16:15:07.520Z","references":[{"type":"ADVISORY","url":"https://github.com/citelao/Spotify-for-Alfred"},{"type":"REPORT","url":"https://github.com/citelao/Spotify-for-Alfred/issues/137"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/citelao/Spotify-for-Alfred","events":[{"introduced":"0"},{"last_affected":"941631eba0c581d38632a05d0e0101c438f1730d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.13.9"}]}}],"versions":["0.8","0.81","0.82","untagged-01605e31ce682aaeb064","untagged-047e50cd91ceff37048b","untagged-09d7eb04afca105e6d3c","untagged-5a073d2024cacb9fdd3a","untagged-5e19b1d94781ceedca76","untagged-9ce37879c78052fd7061","untagged-ba3630bdee5766d3549e","untagged-bc0e0cdc8e84f88f4273","untagged-cc61581aa4bf11ee3201","untagged-d357df1dd876f49ae740","v0.1","v0.11.1","v0.11.2","v0.11.2.1","v0.12","v0.13","v0.13.1","v0.13.2","v0.13.2.1","v0.13.3","v0.13.3.1","v0.13.3.1f","v0.13.3.2","v0.13.4","v0.13.5","v0.13.7","v0.13.8","v0.13.9","v0.5","v0.5a","v0.6","v0.9","v0.9.1","v0.9.3","v0.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40927.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}