GHSA-xw79-hhv6-578c

Опубликовано: 11 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Cross-Site Scripting in serve

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package does not encode output, allowing attackers to execute arbitrary JavaScript in the victim's browser if user-supplied input is rendered.

Recommendation

Upgrade to version 10.0.2 or later.

Ссылки

https://github.com/zeit/serve-handler/commit/65b4d4183a31a8076c78c40118acb0ca1b64f620
https://hackerone.com/reports/358641
https://hackerone.com/reports/398285
https://www.npmjs.com/advisories/971

Пакеты

Наименование

serve

npm

Затронутые версииВерсия исправления

< 10.0.2

10.0.2

Дефекты

CWE-79

Дефекты

CWE-79