Description
Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer() lists a torrent’s title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing the malicious payload.
Recommendation
Update the webtorrent package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.107.6
- Patched version(s): 0.107.6
References
- GHSA-gjh4-fcv3-whpq
- snyk.io
- www.npmjs.com
- hackerone.com
- CVE-2019-15782
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- DOMpurify has a nesting-based mXSS - CVE-2024-47875
- Path Traversal in simplehttpserver - CVE-2018-16478
- Cross-Site Scripting in html-pages - CVE-2018-16481
- Path Traversal in http-server-node - CVE-2021-23797
- Tags:
- npm
- webtorrent
Anything's wrong? Let us know Last updated on April 04, 2023