Описание
Cross-Site Scripting in public
Versions of public prior to 0.1.4 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.
Recommendation
Upgrade to version 0.1.4 or later.
Пакеты
Наименование
public
npm
Затронутые версииВерсия исправления
< 0.1.4
0.1.4
Связанные уязвимости
CVSS3: 6.1
nvd
больше 7 лет назад
The public node module versions <= 1.0.3 allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript.