Versions of webtorrent
prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent
servers started with torrent.createServer()
lists a torrent’s title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing the malicious payload. The issue is mitigated due to the fact that the server only allows fetching data pieces from the torrent.
Upgrade to version 0.107.6 or later.
CPE | Name | Operator | Version |
---|---|---|---|
webtorrent | lt | 0.107.6 |
github.com/webtorrent/webtorrent/commit/7e829b5d52c32d2e6d8f5fbcf0f8f418fffde083
github.com/webtorrent/webtorrent/compare/v0.107.5...v0.107.6
github.com/webtorrent/webtorrent/pull/1714
hackerone.com/reports/681617
nvd.nist.gov/vuln/detail/CVE-2019-15782
snyk.io/vuln/SNYK-JS-WEBTORRENT-460351
www.npmjs.com/advisories/1158