CVE-2017-18635 – @novnc/novnc

Package

Manager: npm
Name: @novnc/novnc
Vulnerable Version: >=0 <0.6.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.04809 pctl0.89075

Details

Cross-Site Scripting in @novnc/novnc Versions of `@novnc/novnc` prior to 0.6.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. It affects any users of `include/ui.js` and users of `vnc_auto.html` and `vnc.html`. ## Recommendation Upgrade to version 0.6.2 or later.

Metadata

Created: 2020-08-28T21:24:59Z
Modified: 2021-09-23T19:08:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-49rv-g7w5-m8xx/GHSA-49rv-g7w5-m8xx.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-49rv-g7w5-m8xx
Finding: F008
Auto approve: 1