Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtNHItY2dtMy02cTdx

Cross-Site Scripting in status-board

All versions of status-board are vulnerable to Cross-Site Scripting. The renderJsDashboard() function concatenates the safeDashboard variable to the HTTP response message with insufficient sanitization. If this variable is controlled by user input it may allow attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Permalink: https://github.com/advisories/GHSA-6m4r-cgm3-6q7q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtNHItY2dtMy02cTdx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: over 1 year ago

CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-6m4r-cgm3-6q7q, CVE-2019-15478
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-15478
• https://github.com/jameswlane/status-board/pull/949
• https://github.com/jameswlane/status-board/pull/949/files
• https://snyk.io/vuln/SNYK-JS-STATUSBOARD-460293
• https://www.npmjs.com/advisories/1151
• https://github.com/advisories/GHSA-6m4r-cgm3-6q7q

Repository: https://github.com/jameswlane/status-board
Blast Radius: 6.4

Affected Packages