exploitDog

GHSA-gm29-35c7-8cfw

Опубликовано: 08 апр. 2019

Источник: github

Github: Прошло ревью

Описание

Cross-Site Scripting in buttle

All versions of buttle are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Ссылки

Пакеты

Наименование

buttle

npm

Затронутые версииВерсия исправления

<= 0.2.0

Отсутствует

EPSS

Процентиль: 50%

0.00266

Низкий

CVE ID

Дефекты

CWE-79

Связанные уязвимости

CVE-2019-5422

CVSS3: 6.1

nvd

почти 7 лет назад

XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server.

EPSS

Процентиль: 50%

0.00266

Низкий

CVE ID

Дефекты

CWE-79