CVE-2019-15782 — Cross-Site Scripting in webtorrent

Description

Versions of `webtorrent` prior to 0.107.6 are vulnerable to Cross-Site Scripting. `webtorrent` servers started with `torrent.createServer()` lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent. ## Recommendation Upgrade to version 0.107.6 or later.

How to fix CVE-2019-15782

To remediate CVE-2019-15782, upgrade the affected package to a fixed version below.

—upgrade to 0.107.6 or later

Is CVE-2019-15782 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.107.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-15782
WEBgithub.com/webtorrent/webtorrent/commit/7e829b5d52c32d2e6d8f5fbcf0f8f418fffde083
WEBgithub.com/webtorrent/webtorrent/compare/v0.107.5...v0.107.6
WEBgithub.com/webtorrent/webtorrent/pull/1714