GHSA-49rv-g7w5-m8xx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-49rv-g7w5-m8xx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-49rv-g7w5-m8xx/GHSA-49rv-g7w5-m8xx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-49rv-g7w5-m8xx
- Aliases
- Published
- 2020-08-28T21:24:59Z
- Modified
- 2023-11-01T05:17:09.121508Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-Site Scripting in @novnc/novnc
- Details
-
Versions of
@novnc/novncprior to 0.6.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. It affects any users ofinclude/ui.jsand users ofvnc_auto.htmlandvnc.html.Recommendation
Upgrade to version 0.6.2 or later.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-18635
- https://github.com/novnc/noVNC/issues/748
- https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534
- https://access.redhat.com/errata/RHSA-2020:0754
- https://bugs.launchpad.net/horizon/+bug/1656435
- https://github.com/ShielderSec/cve-2017-18635
- https://github.com/novnc/noVNC
- https://github.com/novnc/noVNC/releases/tag/v0.6.2
- https://lists.debian.org/debian-lts-announce/2019/10/msg00004.html
- https://lists.debian.org/debian-lts-announce/2021/12/msg00024.html
- https://snyk.io/vuln/SNYK-JS-NOVNCNOVNC-469136
- https://usn.ubuntu.com/4522-1
- https://www.npmjs.com/advisories/1204
- https://www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack
Affected packages
npm / @novnc/novnc
Package
- Name
- @novnc/novnc
- View open source insights on deps.dev
- Purl
- pkg:npm/%40novnc/novnc