Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5cnYtZzd3NS1tOHh4

Cross-Site Scripting in @novnc/novnc

Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. It affects any users of include/ui.js and users of vnc_auto.html and vnc.html.

Recommendation

Upgrade to version 0.6.2 or later.

Permalink: https://github.com/advisories/GHSA-49rv-g7w5-m8xx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5cnYtZzd3NS1tOHh4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 2 years ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00145
EPSS Percentile: 0.50933

Identifiers: GHSA-49rv-g7w5-m8xx, CVE-2017-18635
References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-18635
• https://github.com/novnc/noVNC/issues/748
• https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534
• https://bugs.launchpad.net/horizon/+bug/1656435
• https://github.com/novnc/noVNC/releases/tag/v0.6.2
• https://www.npmjs.com/advisories/1204
• https://snyk.io/vuln/SNYK-JS-NOVNCNOVNC-469136
• https://access.redhat.com/errata/RHSA-2020:0754
• https://github.com/ShielderSec/cve-2017-18635
• https://lists.debian.org/debian-lts-announce/2019/10/msg00004.html
• https://usn.ubuntu.com/4522-1/
• https://www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack/
• https://lists.debian.org/debian-lts-announce/2021/12/msg00024.html
• https://github.com/advisories/GHSA-49rv-g7w5-m8xx

Repository: https://github.com/novnc/noVNC
Blast Radius: 15.6

Affected Packages