Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg4NjQtcmhtdy01bTZm

Status Board vulnerable to Cross-Site Scripting before v1.1.82

Versions of status-board prior to 1.1.82 are vulnerable to Cross-Site Scripting. The renderDashboard() function concatenates the safeDashboard variable to the printed error message with insufficient sanitization. If this variable is controlled by user input it allows attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 1.1.82 to receive a patch.

Permalink: https://github.com/advisories/GHSA-8864-rhmw-5m6f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg4NjQtcmhtdy01bTZm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 1 year ago

CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-8864-rhmw-5m6f, CVE-2019-15479
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-15479
• https://github.com/jameswlane/status-board/pull/948
• https://snyk.io/vuln/SNYK-JS-STATUSBOARD-460295
• https://github.com/status-board/status-board/commit/19106617865406aa6f8edec036dcb1db427d5f71
• https://github.com/advisories/GHSA-8864-rhmw-5m6f

Repository: https://github.com/jameswlane/status-board
Blast Radius: 6.4

Affected Packages