Description
Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer() lists a torrent’s title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing the malicious payload.
Recommendation
Update the webtorrent package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.107.6
- Patched version(s): 0.107.6
References
- GHSA-gjh4-fcv3-whpq
- snyk.io
- www.npmjs.com
- hackerone.com
- CVE-2019-15782
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Cross-Site Scripting in serialize-to-js - CVE-2019-16772
- SQL Injection and Cross-site Scripting in class-validator - CVE-2019-18413
- Cross-Site Scripting in min-http-server - CVE-2019-5457
- DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
- Tags:
- npm
- webtorrent
Anything's wrong? Let us know Last updated on April 04, 2023