CVE-2019-10771 – iobroker.web

Package

Manager: npm
Name: iobroker.web
Vulnerable Version: >=0 <2.4.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0024 pctl0.47184

Details

Cross-Site Scripting in iobroker.web Versions of `iobroker.web` prior to 2.4.10 are vulnerable to Cross-Site Scripting. The package fails to escape URL parameters that may be reflected in the server response. This can be used by attackers to execute arbitrary JavaScript in the victim's browser. ## Recommendation Upgrade to version 2.4.10 or later.

Metadata

Created: 2019-12-02T18:14:30Z
Modified: 2021-08-19T15:34:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-6rjc-4pwr-3vp7/GHSA-6rjc-4pwr-3vp7.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-6rjc-4pwr-3vp7
Finding: F008
Auto approve: 1