There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.
References
| Link | Resource |
|---|---|
| https://hackerone.com/reports/310133 | Exploit Third Party Advisory |
| https://hackerone.com/reports/310133 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 04:06
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://hackerone.com/reports/310133 - Exploit, Third Party Advisory |
Information
Published : 2018-07-03 21:29
Updated : 2024-11-21 04:06
NVD link : CVE-2018-3748
Mitre link : CVE-2018-3748
CVE.ORG link : CVE-2018-3748
JSON object : View
Products Affected
glance_project
- glance
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')