CVE-2020-8823

Опубликовано: 08 фев. 2020

Источник: redhat

CVSS3: 6.1

EPSS Низкий

Описание

htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter.

A cross-site scripting (XSS) vulnerability was found in the Node.js library, sockjs. An attacker could use this vulnerability to supply a query string with script tags, which could trick a victim into executing a specially crafted JavaScript code.

Затронутые пакеты

Платформа	Пакет	Состояние
Distributed Tracing Jaeger 1	jaeger	Not affected
OpenShift Service Mesh 1	jaeger	Not affected
OpenShift Service Mesh 1	kiali	Not affected
OpenShift Service Mesh 1	servicemesh-grafana	Not affected
Red Hat OpenShift Application Runtimes	vertx-sockjs-service-proxy	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-79

https://bugzilla.redhat.com/show_bug.cgi?id=1813969sockJS: function htmlfile is not checking the non-alphanumeric symbols which could result in reflected XSS

EPSS

Процентиль: 73%

0.00757

Низкий

6.1 Medium

CVSS3

Связанные уязвимости

CVE-2020-8823

CVSS3: 6.1

nvd

почти 6 лет назад

htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter.

GHSA-hh8v-jmh3-9437

CVSS3: 6.1

github

почти 5 лет назад

Cross-site scripting in SocksJS-node

EPSS

Процентиль: 73%

0.00757

Низкий

6.1 Medium

CVSS3