CVE-2017-18635
Published: 25 September 2019
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
Priority
Medium
CVSS 3 base score: 6.1
Status
| Package | Release | Status |
|---|---|---|
|
novnc Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(code not present)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(code not present)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18635
- https://bugs.launchpad.net/horizon/+bug/1656435
- https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534
- https://github.com/novnc/noVNC/issues/748
- https://github.com/novnc/noVNC/releases/tag/v0.6.2
- https://usn.ubuntu.com/usn/usn-4522-1
- NVD
- Launchpad
- Debian