Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmaDItNmY3cS1ncjg2
Cross-Site Scripting in sexstatic
All versions of sexstatic are vulnerable to stored cross-site scripting (xss). This is exploitable if an attacker can control a filename that is served by sexstatic.
Recommendation
As there is no fix is currently available for this vulnerability it is our recommendation to not install or used this module at this time.
Permalink: https://github.com/advisories/GHSA-qfh2-6f7q-gr86JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmaDItNmY3cS1ncjg2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-qfh2-6f7q-gr86, CVE-2018-3755
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3755
- https://hackerone.com/reports/328210
- https://github.com/advisories/GHSA-qfh2-6f7q-gr86
- https://www.npmjs.com/advisories/671
Affected Packages
npm:sexstatic
Dependent packages: 4Dependent repositories: 33
Downloads: 1,948 last month
Affected Version Ranges: <= 0.6.2
No known fixed version
All affected versions: 0.6.0, 0.6.2