CVE-2017-18635 in Ubuntu

CVE-2017-18635

Priority

Description

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the
remote VNC server could inject arbitrary HTML into the noVNC web page via
the messages propagated to the status field, such as the VNC server name.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18635
https://bugs.launchpad.net/horizon/+bug/1656435
https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534
https://github.com/novnc/noVNC/issues/748
https://github.com/novnc/noVNC/releases/tag/v0.6.2
https://ubuntu.com/security/notices/USN-4522-1

Notes

Package

Source: novnc (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected (code not present)
Ubuntu 21.10:	not-affected (code not present)
Ubuntu 22.04 LTS:	not-affected (code not present)
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Mitre
NVD
Launchpad
Debian

Updated: 2022-04-25 00:20:16 UTC (commit ecc1009cb19540b950de59270950018900f37f15)