CVE-2018-3717Cross-site Scripting in Connect

CWE-79Cross-site Scripting10 documents7 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 43.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Node-connectSencha ConnectAdobe Connect+1 more
Timeline
PublishedJun 7
Latest updateJul 26

Description

connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5hackerone/connect_node_moduleVersions before 2.14.0
Debiannode-connect/node-connect< 3.0.0-1+3
npmadobe/connect< 2.14.0
NVDsencha/connect< 2.14.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Cross-Site Scripting in connect2018-07-26
OSV
Cross-Site Scripting in connect2018-07-26
OSV
CVE-2018-3717: connect node module before 22018-06-07
CVEList
CVE-2018-3717: connect node module before 22018-06-07

📋Vendor Advisories

2
Red Hat
nodejs-connect: XSS due to a lack of validation of file in directory.js middleware2018-06-07
Debian
CVE-2018-3717: node-connect - connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vuln...2018

💬Community

3
Bugzilla
CVE-2018-3717 nodejs-connect: XSS due to a lack of validation of file in directory.js middleware [fedora-all]2018-06-07
Bugzilla
CVE-2018-3717 nodejs-connect: XSS due to a lack of validation of file in directory.js middleware [epel-6]2018-06-07
Bugzilla
CVE-2018-3717 nodejs-connect: XSS due to a lack of validation of file in directory.js middleware2018-06-07
CVE-2018-3717 — Cross-site Scripting in Sencha Connect | cvebase