{ "schema_version": "1.4.0", "id": "GHSA-gjh4-fcv3-whpq", "modified": "2021-08-17T22:20:20Z", "published": "2019-09-04T10:02:50Z", "aliases": [ "CVE-2019-15782" ], "summary": "Cross-Site Scripting in webtorrent", "details": "Versions of `webtorrent` prior to 0.107.6 are vulnerable to Cross-Site Scripting. `webtorrent` servers started with `torrent.createServer()` lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent.\n\n\n## Recommendation\n\nUpgrade to version 0.107.6 or later.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "webtorrent" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.107.6" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15782" }, { "type": "WEB", "url": "https://github.com/webtorrent/webtorrent/pull/1714" }, { "type": "WEB", "url": "https://github.com/webtorrent/webtorrent/commit/7e829b5d52c32d2e6d8f5fbcf0f8f418fffde083" }, { "type": "WEB", "url": "https://hackerone.com/reports/681617" }, { "type": "WEB", "url": "https://github.com/webtorrent/webtorrent/compare/v0.107.5...v0.107.6" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-WEBTORRENT-460351" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1158" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2019-09-03T09:58:03Z", "nvd_published_at": null } }