Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdqaDQtZmN2My13aHBx
Cross-Site Scripting in webtorrent
Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer() lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent.
Recommendation
Upgrade to version 0.107.6 or later.
Permalink: https://github.com/advisories/GHSA-gjh4-fcv3-whpqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdqaDQtZmN2My13aHBx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-gjh4-fcv3-whpq, CVE-2019-15782
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-15782
- https://github.com/webtorrent/webtorrent/compare/v0.107.5...v0.107.6
- https://github.com/webtorrent/webtorrent/pull/1714
- https://snyk.io/vuln/SNYK-JS-WEBTORRENT-460351
- https://www.npmjs.com/advisories/1158
- https://hackerone.com/reports/681617
- https://github.com/webtorrent/webtorrent/commit/7e829b5d52c32d2e6d8f5fbcf0f8f418fffde083
- https://github.com/advisories/GHSA-gjh4-fcv3-whpq
Blast Radius: 17.8
Affected Packages
npm:webtorrent
Dependent packages: 191Dependent repositories: 842
Downloads: 17,028 last month
Affected Version Ranges: < 0.107.6
Fixed in: 0.107.6
All affected versions: 0.0.1, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.28.0, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.29.4, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.39.0, 0.40.0, 0.40.1, 0.40.2, 0.41.0, 0.42.0, 0.43.0, 0.43.1, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.47.1, 0.48.0, 0.48.1, 0.48.2, 0.48.3, 0.48.4, 0.48.5, 0.48.6, 0.49.0, 0.49.1, 0.49.2, 0.50.0, 0.50.1, 0.50.2, 0.50.3, 0.51.0, 0.51.1, 0.52.0, 0.52.1, 0.53.0, 0.53.1, 0.53.2, 0.53.3, 0.53.4, 0.54.0, 0.54.1, 0.54.3, 0.55.0, 0.55.1, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.62.1, 0.62.2, 0.62.3, 0.63.0, 0.63.1, 0.63.2, 0.63.3, 0.63.4, 0.64.0, 0.65.0, 0.65.1, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.69.0, 0.70.0, 0.71.0, 0.71.1, 0.71.3, 0.71.4, 0.72.0, 0.72.1, 0.72.2, 0.73.0, 0.73.1, 0.73.2, 0.74.0, 0.74.1, 0.74.2, 0.75.0, 0.76.0, 0.77.0, 0.78.0, 0.78.1, 0.79.0, 0.79.1, 0.80.0, 0.81.0, 0.81.1, 0.81.2, 0.82.0, 0.82.1, 0.83.0, 0.84.0, 0.84.1, 0.85.0, 0.85.1, 0.85.2, 0.85.3, 0.85.4, 0.86.0, 0.86.1, 0.86.2, 0.87.0, 0.87.1, 0.88.0, 0.88.1, 0.88.2, 0.88.3, 0.89.0, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.91.0, 0.91.1, 0.91.2, 0.91.3, 0.91.4, 0.92.0, 0.93.0, 0.93.1, 0.93.2, 0.93.3, 0.93.4, 0.94.0, 0.94.1, 0.94.2, 0.94.3, 0.94.4, 0.95.0, 0.95.1, 0.95.2, 0.95.3, 0.95.4, 0.95.5, 0.95.6, 0.96.0, 0.96.1, 0.96.2, 0.96.3, 0.96.4, 0.96.5, 0.97.0, 0.97.1, 0.97.2, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.98.4, 0.98.5, 0.98.6, 0.98.7, 0.98.8, 0.98.9, 0.98.10, 0.98.11, 0.98.12, 0.98.13, 0.98.14, 0.98.15, 0.98.16, 0.98.17, 0.98.18, 0.98.19, 0.98.20, 0.98.21, 0.98.23, 0.98.24, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.99.4, 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.102.4, 0.103.0, 0.103.1, 0.103.2, 0.103.3, 0.103.4, 0.104.0, 0.105.0, 0.105.1, 0.105.2, 0.105.3, 0.106.0, 0.107.0, 0.107.1, 0.107.2, 0.107.3, 0.107.4, 0.107.5
All unaffected versions: 0.107.6, 0.107.7, 0.107.8, 0.107.9, 0.107.10, 0.107.11, 0.107.12, 0.107.13, 0.107.14, 0.107.15, 0.107.16, 0.107.17, 0.108.0, 0.108.1, 0.108.2, 0.108.3, 0.108.4, 0.108.5, 0.108.6, 0.109.0, 0.109.1, 0.109.2, 0.110.0, 0.110.1, 0.111.0, 0.112.0, 0.112.1, 0.112.2, 0.112.3, 0.112.4, 0.113.0, 0.114.0, 0.114.1, 0.115.0, 0.115.1, 0.115.2, 0.115.3, 0.115.4, 0.116.0, 0.116.1, 0.116.2, 0.116.3, 0.117.0, 0.118.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.8.21, 1.8.22, 1.8.23, 1.8.24, 1.8.25, 1.8.26, 1.8.27, 1.8.28, 1.8.29, 1.8.30, 1.8.31, 1.8.32, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.1.23, 2.1.24, 2.1.25, 2.1.26, 2.1.27, 2.1.28, 2.1.29, 2.1.30, 2.1.31, 2.1.32, 2.1.33, 2.1.34, 2.1.35, 2.1.36, 2.1.37, 2.2.0, 2.2.1