Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdqaDQtZmN2My13aHBx

Cross-Site Scripting in webtorrent

Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer() lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent.

Recommendation

Upgrade to version 0.107.6 or later.

Permalink: https://github.com/advisories/GHSA-gjh4-fcv3-whpq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdqaDQtZmN2My13aHBx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: over 1 year ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00081
EPSS Percentile: 0.35502

Identifiers: GHSA-gjh4-fcv3-whpq, CVE-2019-15782
References: Repository: https://github.com/webtorrent/webtorrent
Blast Radius: 17.8

Affected Packages

npm:webtorrent
Dependent packages: 191
Dependent repositories: 842
Downloads: 19,417 last month
Affected Version Ranges: < 0.107.6
Fixed in: 0.107.6
All affected versions: 0.0.1, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.28.0, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.29.4, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.39.0, 0.40.0, 0.40.1, 0.40.2, 0.41.0, 0.42.0, 0.43.0, 0.43.1, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.47.1, 0.48.0, 0.48.1, 0.48.2, 0.48.3, 0.48.4, 0.48.5, 0.48.6, 0.49.0, 0.49.1, 0.49.2, 0.50.0, 0.50.1, 0.50.2, 0.50.3, 0.51.0, 0.51.1, 0.52.0, 0.52.1, 0.53.0, 0.53.1, 0.53.2, 0.53.3, 0.53.4, 0.54.0, 0.54.1, 0.54.3, 0.55.0, 0.55.1, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.62.1, 0.62.2, 0.62.3, 0.63.0, 0.63.1, 0.63.2, 0.63.3, 0.63.4, 0.64.0, 0.65.0, 0.65.1, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.69.0, 0.70.0, 0.71.0, 0.71.1, 0.71.3, 0.71.4, 0.72.0, 0.72.1, 0.72.2, 0.73.0, 0.73.1, 0.73.2, 0.74.0, 0.74.1, 0.74.2, 0.75.0, 0.76.0, 0.77.0, 0.78.0, 0.78.1, 0.79.0, 0.79.1, 0.80.0, 0.81.0, 0.81.1, 0.81.2, 0.82.0, 0.82.1, 0.83.0, 0.84.0, 0.84.1, 0.85.0, 0.85.1, 0.85.2, 0.85.3, 0.85.4, 0.86.0, 0.86.1, 0.86.2, 0.87.0, 0.87.1, 0.88.0, 0.88.1, 0.88.2, 0.88.3, 0.89.0, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.91.0, 0.91.1, 0.91.2, 0.91.3, 0.91.4, 0.92.0, 0.93.0, 0.93.1, 0.93.2, 0.93.3, 0.93.4, 0.94.0, 0.94.1, 0.94.2, 0.94.3, 0.94.4, 0.95.0, 0.95.1, 0.95.2, 0.95.3, 0.95.4, 0.95.5, 0.95.6, 0.96.0, 0.96.1, 0.96.2, 0.96.3, 0.96.4, 0.96.5, 0.97.0, 0.97.1, 0.97.2, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.98.4, 0.98.5, 0.98.6, 0.98.7, 0.98.8, 0.98.9, 0.98.10, 0.98.11, 0.98.12, 0.98.13, 0.98.14, 0.98.15, 0.98.16, 0.98.17, 0.98.18, 0.98.19, 0.98.20, 0.98.21, 0.98.23, 0.98.24, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.99.4, 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.102.4, 0.103.0, 0.103.1, 0.103.2, 0.103.3, 0.103.4, 0.104.0, 0.105.0, 0.105.1, 0.105.2, 0.105.3, 0.106.0, 0.107.0, 0.107.1, 0.107.2, 0.107.3, 0.107.4, 0.107.5
All unaffected versions: 0.107.6, 0.107.7, 0.107.8, 0.107.9, 0.107.10, 0.107.11, 0.107.12, 0.107.13, 0.107.14, 0.107.15, 0.107.16, 0.107.17, 0.108.0, 0.108.1, 0.108.2, 0.108.3, 0.108.4, 0.108.5, 0.108.6, 0.109.0, 0.109.1, 0.109.2, 0.110.0, 0.110.1, 0.111.0, 0.112.0, 0.112.1, 0.112.2, 0.112.3, 0.112.4, 0.113.0, 0.114.0, 0.114.1, 0.115.0, 0.115.1, 0.115.2, 0.115.3, 0.115.4, 0.116.0, 0.116.1, 0.116.2, 0.116.3, 0.117.0, 0.118.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.8.21, 1.8.22, 1.8.23, 1.8.24, 1.8.25, 1.8.26, 1.8.27, 1.8.28, 1.8.29, 1.8.30, 1.8.31, 1.8.32, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.1.23, 2.1.24, 2.1.25, 2.1.26, 2.1.27, 2.1.28, 2.1.29, 2.1.30, 2.1.31, 2.1.32, 2.1.33, 2.1.34, 2.1.35, 2.1.36, 2.1.37, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7