CVE-2017-18635

Published: 25 September 2019

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
novnc
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code not present)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code not present)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus)
Released (1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist