Description
Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer() lists a torrent’s title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing the malicious payload.
Recommendation
Update the webtorrent package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.107.6
- Patched version(s): 0.107.6
References
- GHSA-gjh4-fcv3-whpq
- snyk.io
- www.npmjs.com
- hackerone.com
- CVE-2019-15782
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- SQL Injection and Cross-site Scripting in class-validator - CVE-2019-18413
- Cross-Site Scripting in min-http-server - CVE-2019-5457
- Cross-site scripting in Swagger-UI - CVE-2019-17495
- DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
You might also like:
- Tags:
- npm
- webtorrent
Anything's wrong? Let us know Last updated on April 04, 2023


