GHSA-8c8c-4vfj-rrpc – redis-commander

Package

Manager: npm
Name: redis-commander
Vulnerable Version: >=0.0.0 <0.5.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Reflected Cross-Site Scripting in redis-commander Affected versions of `redis-commander` contain a cross-site scripting vulnerability in the `highlighterId` paramter of the clipboard.swf component on hosts serving Redis Commander. Mitigating factors: Flash must be installed / enabled for this to work. The below proof of concept was verified to work using Firefox 57.0 on Windows 10 by manually installing the [Flash NPAPI Windows plugin](https://get.adobe.com/flashplayer/otherversions/) ## Proof of concept ``` http://instance/jstree/_docs/syntax/clipboard.swf?highlighterId=\%22))}%20catch(e)%20{alert(document.domain);}// ``` ## Recommendation No direct patch for this vulnerability is currently available. At this time, the best mitigation is to use an alternative, functionally equivalent package, or to use extreme caution when using redis-commander, ensuring that redis-commmander is the only web page you have open, and avoiding clicking on any links.

Metadata

Created: 2020-09-01T19:05:11Z
Modified: 2022-03-04T22:02:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8c8c-4vfj-rrpc/GHSA-8c8c-4vfj-rrpc.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1