CVE-2018-12123
Severity
4.3MEDIUM
EPSS
4.6%
top 10.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 28
Latest updateMay 13
Description
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4
Affected Packages3 packages
▶CVEListV5the_node.js_project/node.jsAll versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0
Patches
🔴Vulnerability Details
3📋Vendor Advisories
4Microsoft▶
Node.js: All versions prior to Node.js 6.15.0 8.14.0 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hos↗2018-11-13
Debian▶
CVE-2018-12123: nodejs - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostn...↗2018