An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-1946-1 novnc security update
Debian DLA Debian DLA DLA-2854-1 novnc security update
EUVD EUVD EUVD-2020-0588 An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
Github GHSA Github GHSA GHSA-49rv-g7w5-m8xx Cross-Site Scripting in @novnc/novnc
Ubuntu USN Ubuntu USN USN-4522-1 noVNC vulnerability
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T21:28:55.736Z

Reserved: 2019-09-25T00:00:00

Link: CVE-2017-18635

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-09-25T23:15:09.937

Modified: 2024-11-21T03:20:32.157

Link: CVE-2017-18635

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-01-12T00:00:00Z

Links: CVE-2017-18635 - Bugzilla

cve-icon OpenCVE Enrichment

No data.