CVE-2019-14772

Description

### Impact What kind of vulnerability is it? Who is impacted? Cross-Site Scripting XSS, malicious packages with content Javascript that might be executed in the User Interface stealing user credentials. ### Patches Has the problem been patched? What versions should users upgrade to? Users that still using `v3` must upgrade to **>3.12.0** or those have no problem to migrate to a major version **>=4.0.0** also fix the issue. ### Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? No, the users must update. ### References Are there any links users can visit to find out more? https://www.npmjs.com/advisories/832 https://www.npmjs.com/advisories/833 The issue was reported by the NPMJS Security Team ### For more information If you have any questions or comments about this advisory: * Read the Security Policy to find the ways to be in contact with us.

How to fix CVE-2019-14772

To remediate CVE-2019-14772, upgrade the affected package to a fixed version below.

• —upgrade to 3.12.0 or later

Is CVE-2019-14772 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.12.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-14772
• PATCHgithub.com/verdaccio/verdaccio
• WEBgithub.com/verdaccio/verdaccio/security/advisories/GHSA-78j5-gcmf-vqc8
• WEBwww.npmjs.com/advisories/832
• WEB