USN-4522-1: noVNC vulnerability

21 September 2020

noVNC could be made to execute arbitrary code.

Releases

Packages

  • novnc - HTML5 VNC client - daemon and programs

Details

It was discovered that noVNC did not properly manage certain messages,
resulting in the remote VNC server injecting arbitrary HTML into the
noVNC web page. An attacker could use this issue to conduct cross-site
scripting (XSS) attacks. (CVE-2017-18635)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04

In general, a standard system update will make all the necessary changes.

References