Fluid Attacks Database

Description

Cross-Site Scripting in @novnc/novnc Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. It affects any users of include/ui.js and users of vnc_auto.html and vnc.html.

Recommendation

Upgrade to version 0.6.2 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	novnc	>=0 <1:1.0.0-1	1:1.0.0-1
npm	@novnc/novnc	>=0 <0.6.2	0.6.2
debian 14	novnc	>=0 <1:1.0.0-1	1:1.0.0-1
debian 12	novnc	>=0 <1:1.0.0-1	1:1.0.0-1
debian 13	novnc	>=0 <1:1.0.0-1	1:1.0.0-1

Aliases

1. CVE-2017-186352. NVD-2017-186353. OSV-DEBIAN-2017-186354. OSV-2017-186355. GCVE-2017-186356. SECURITY-TRACKER-CVE-2017-186357. access.redhat.com8. lists.debian.org9. lists.debian.org

References

1. https://github.com/ShielderSec/CVE-2017-186352. https://github.com/novnc/noVNC/issues/7483. https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L5344. https://bugs.launchpad.net/horizon/+bug/16564355. https://github.com/ShielderSec/cve-2017-186356. https://github.com/novnc/noVNC/releases/tag/v0.6.27. https://usn.ubuntu.com/4522-18. https://www.npmjs.com/advisories/12049. https://www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack