CVE-2019-15782
Cross-Site Scripting in webtorrent
6.1
MEDIUM
CVSS 3.1
EPSS 0.21%
描述
Versions of `webtorrent` prior to 0.107.6 are vulnerable to Cross-Site Scripting. `webtorrent` servers started with `torrent.createServer()` lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent. ## Recommendation Upgrade to version 0.107.6 or later.
如何修補 CVE-2019-15782
要修補 CVE-2019-15782,請將受影響套件升級到下列已修補版本。
- —升級至 0.107.6 或更新版本
CVE-2019-15782 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.107.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |