Описание
Cross-Site Scripting in webtorrent
Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer() lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent.
Recommendation
Upgrade to version 0.107.6 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-15782
- https://github.com/webtorrent/webtorrent/pull/1714
- https://github.com/webtorrent/webtorrent/commit/7e829b5d52c32d2e6d8f5fbcf0f8f418fffde083
- https://hackerone.com/reports/681617
- https://github.com/webtorrent/webtorrent/compare/v0.107.5...v0.107.6
- https://snyk.io/vuln/SNYK-JS-WEBTORRENT-460351
- https://www.npmjs.com/advisories/1158
Пакеты
Наименование
webtorrent
npm
Затронутые версииВерсия исправления
< 0.107.6
0.107.6
Связанные уязвимости
CVSS3: 6.1
nvd
больше 6 лет назад
WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or file name.