GHSA-cpgr-wmr9-qxv4

Опубликовано: 11 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Cross-Site Scripting in serve

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

Upgrade to version 10.0.2 or later.

Ссылки

https://hackerone.com/reports/398285
https://www.npmjs.com/advisories/992

Пакеты

Наименование

serve

npm

Затронутые версииВерсия исправления

< 10.0.2

10.0.2

Дефекты

CWE-79

Дефекты

CWE-79