Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtNHItY2dtMy02cTdx
Cross-Site Scripting in status-board
All versions of status-board are vulnerable to Cross-Site Scripting. The renderJsDashboard() function concatenates the safeDashboard variable to the HTTP response message with insufficient sanitization. If this variable is controlled by user input it may allow attackers to execute arbitrary JavaScript in a victim's browser.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-6m4r-cgm3-6q7qJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZtNHItY2dtMy02cTdx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 5 years ago
Updated: almost 2 years ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.0007
EPSS Percentile: 0.31501
Identifiers: GHSA-6m4r-cgm3-6q7q, CVE-2019-15478
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-15478
- https://github.com/jameswlane/status-board/pull/949
- https://github.com/jameswlane/status-board/pull/949/files
- https://snyk.io/vuln/SNYK-JS-STATUSBOARD-460293
- https://www.npmjs.com/advisories/1151
- https://github.com/advisories/GHSA-6m4r-cgm3-6q7q
Blast Radius: 6.4
Affected Packages
npm:status-board
Dependent packages: 1Dependent repositories: 11
Downloads: 242 last month
Affected Version Ranges: < 1.1.82
Fixed in: 1.1.82
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.23, 1.1.24, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.1.35, 1.1.36, 1.1.37, 1.1.38, 1.1.39, 1.1.40, 1.1.41, 1.1.42, 1.1.43, 1.1.44, 1.1.45, 1.1.46, 1.1.47, 1.1.48, 1.1.49, 1.1.50, 1.1.51, 1.1.52, 1.1.53, 1.1.54, 1.1.55, 1.1.56, 1.1.57, 1.1.58, 1.1.59, 1.1.60, 1.1.61, 1.1.62, 1.1.63, 1.1.64, 1.1.65, 1.1.66, 1.1.67, 1.1.68, 1.1.69, 1.1.70, 1.1.71, 1.1.72, 1.1.73, 1.1.74, 1.1.75, 1.1.76, 1.1.77, 1.1.78, 1.1.79, 1.1.80, 1.1.81
All unaffected versions: 1.1.82, 1.1.83