CVE-2017-16043 — HTML Injection in shout

Description

Affected versions of `shout` do not escape the `/topic` command in messages, and are therefore vulnerable to cross-site scripting. ## Recommendation Update to version 0.50.0 or later.

How to fix CVE-2017-16043

To remediate CVE-2017-16043, upgrade the affected package to a fixed version below.

npm/shout—upgrade to 0.50.0 or later

Is CVE-2017-16043 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.44.0, < 0.50.0

References (4)

ADVISORYgithub.com/advisories/GHSA-26q7-g57v-mxcp
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16043
WEBgithub.com/erming/shout/pull/344
WEBwww.npmjs.com/advisories/322