Lucene search
Feross AboukhadijehNODEJS:1158HistorySep 06, 2019 - 7:02 p.m.
Cross-Site Scripting
2019-09-0619:02:30
Feross Aboukhadijeh
www.npmjs.com
6
0.001 Low
EPSS
Percentile
35.9%
Overview
Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer() lists a torrent’s title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent.
Recommendation
Upgrade to version 0.107.6 or later.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| webtorrent | lt | 0.107.6 |
Related
github
github
Cross-Site Scripting in webtorrent
2019-09-04 10:02:50
hackerone
hackerone
Brave Software: Stored XSS in localhost:* via integrated torrent downloader
2019-08-25 12:34:31
veracode
veracode
Cross-Site Scripting (XSS)
2019-08-30 07:21:36
nvd
nvd
CVE-2019-15782
2019-08-29 12:15:11
osv
osv
Cross-Site Scripting in webtorrent
2019-09-04 10:02:50
CVE-2019-15782
2019-08-29 12:15:11
prion
prion
Cross site scripting
2019-08-29 12:15:00
cvelist
cvelist
CVE-2019-15782
2019-08-29 11:07:38
cve
cve
CVE-2019-15782
2019-08-29 12:15:11
githubexploit
githubexploit
Exploit for Cross-site Scripting in Webtorrent
2020-12-01 09:18:58