no-vnc is vulnerable to cross-site scripting (XSS). A remote attacker is able to inject arbitrary Javascript ito a victim’s browser via messages propagated to the status field such as the VNC server name.
access.redhat.com/errata/RHSA-2020:0754
bugs.launchpad.net/horizon/+bug/1656435
bugzilla.suse.com/show_bug.cgi?id=1152255
github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534
github.com/novnc/noVNC/issues/748
github.com/novnc/noVNC/releases/tag/v0.6.2
github.com/ShielderSec/cve-2017-18635
lists.debian.org/debian-lts-announce/2019/10/msg00004.html
lists.debian.org/debian-lts-announce/2021/12/msg00024.html
usn.ubuntu.com/4522-1/
www.npmjs.com/advisories/1204
www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack/