An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| https://github.com/novnc/noVNC/issues/748 | third party advisory patch |
| https://github.com/novnc/noVNC/releases/tag/v0.6.2 | third party advisory release notes |
| https://bugs.launchpad.net/horizon/+bug/1656435 | third party advisory issue tracking |
| https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534 | third party advisory patch |
| https://lists.debian.org/debian-lts-announce/2019/10/msg00004.html | third party advisory mailing list |
| https://www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack/ | third party advisory exploit |
| https://github.com/ShielderSec/cve-2017-18635 | third party advisory |
| https://access.redhat.com/errata/RHSA-2020:0754 | third party advisory vendor advisory |
| https://usn.ubuntu.com/4522-1/ | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2021/12/msg00024.html | third party advisory mailing list |