Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJnZ3EtdmZjcC1nd2hq
Cross-Site Scripting in @hapi/boom
Versions of @hapi/boom prior to 0.3.8 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser.
Recommendation
Upgrade to version 0.3.8 or later.
Permalink: https://github.com/advisories/GHSA-2ggq-vfcp-gwhjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJnZ3EtdmZjcC1nd2hq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-2ggq-vfcp-gwhj
References:
- https://snyk.io/vuln/SNYK-JS-HAPIBOOM-541183
- https://github.com/hapijs/boom
- https://github.com/hapijs/boom/commit/0f8640bdba65aec6e6799bfc16ff5753150bfcaf
- https://github.com/advisories/GHSA-2ggq-vfcp-gwhj
Blast Radius: 33.0
Affected Packages
npm:@hapi/boom
Dependent packages: 839Dependent repositories: 120,238
Downloads: 11,544,735 last month
Affected Version Ranges: < 0.3.8
Fixed in: 0.3.8
All affected versions:
All unaffected versions: 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10, 7.4.11, 8.0.1, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 10.0.0, 10.0.1