Description
Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. It affects any users of include/ui.js and users of vnc_auto.html and vnc.html.
Recommendation
Update the @novnc/novnc package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.6.2
- Patched version(s): 0.6.2
References
- GHSA-49rv-g7w5-m8xx
- bugs.launchpad.net
- www.npmjs.com
- snyk.io
- access.redhat.com
- lists.debian.org
- usn.ubuntu.com
- www.shielder.it
- CVE-2017-18635
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- PrismJS DOM Clobbering vulnerability - CVE-2024-53382
- Server-Side Request Forgery in axios - CVE-2024-39338
- DOS by abusing `fetchOptions.retry`. - CVE-2023-49800
- Prototype Pollution in querystringify - Vulnerability
- Tags:
- npm
- @novnc/novnc
Anything's wrong? Let us know Last updated on February 01, 2023