Description
All versions of fileview are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing malicious code.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.1.6
References
- GHSA-gvr4-7xgc-gx3w
- hackerone.com
- www.npmjs.com
- CVE-2019-15602
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
- Cross-Site Scripting in min-http-server - CVE-2019-5457
- DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
- Cross-site Scripting in pandao editor.md - CVE-2019-14517
- Tags:
- npm
- fileview
Anything's wrong? Let us know Last updated on January 09, 2023