GHSA-26q7-g57v-mxcp

Опубликовано: 07 нояб. 2018

Источник: github

Github: Прошло ревью

Описание

HTML Injection in shout

Affected versions of shout do not escape the /topic command in messages, and are therefore vulnerable to cross-site scripting.

Recommendation

Update to version 0.50.0 or later.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2017-16043
https://github.com/erming/shout/pull/344
https://github.com/advisories/GHSA-26q7-g57v-mxcp
https://www.npmjs.com/advisories/322

Пакеты

Наименование

shout

npm

Затронутые версииВерсия исправления

>= 0.44.0, <= 0.49.3

0.50.0

EPSS

Процентиль: 49%

0.00259

Низкий

CVE ID

CVE-2017-16043

Дефекты

CWE-80

Связанные уязвимости

CVE-2017-16043

CVSS3: 6.1

nvd

около 7 лет назад

Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3.

EPSS

Процентиль: 49%

0.00259

Низкий

CVE ID

CVE-2017-16043

Дефекты

CWE-80