Lucene search

K
nodejsDavid WydeNODEJS:1204
HistoryOct 04, 2019 - 6:51 p.m.

Cross-Site Scripting

2019-10-0418:51:29
David Wyde
www.npmjs.com
15

0.004 Low

EPSS

Percentile

72.1%

Overview

Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. It affects any users of include/ui.js and users of vnc_auto.html and vnc.html.

Recommendation

Upgrade to version 0.6.2 or later.

References

CPENameOperatorVersion
@novnc/novnclt0.6.2