Описание
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
An XSS vulnerability was discovered in noVNC in which arbitrary HTML could be injected into the noVNC web page. An attacker having access to a VNC server could use target host values in a crafted URL to gain access to secure information (such as VM tokens).
Меры по смягчению последствий
There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenStack Platform 10 (Newton) | novnc | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | novnc | Fix deferred | ||
| Red Hat OpenStack Platform 15 (Stein) | novnc | Not affected | ||
| Red Hat OpenStack Platform 13.0 (Queens) | novnc | Fixed | RHSA-2020:0754 | 10.03.2020 |
| Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS | novnc | Fixed | RHSA-2020:0754 | 10.03.2020 |
| Red Hat Virtualization Engine 4.4 | novnc | Fixed | RHSA-2020:3247 | 04.08.2020 |
Показывать по
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the ...
6.1 Medium
CVSS3