GHSA-8p5p-ff7x-hw7q

Source

https://github.com/advisories/GHSA-8p5p-ff7x-hw7q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-8p5p-ff7x-hw7q/GHSA-8p5p-ff7x-hw7q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8p5p-ff7x-hw7q

Aliases

CVE-2018-3747

Published

2018-10-10T17:27:58Z

Modified

2023-11-08T04:00:18.656925Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross-Site Scripting in public

Details

Versions of public prior to 0.1.4 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

Upgrade to version 0.1.4 or later.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:26:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

npm / public

Package

Name: public; View open source insights on deps.dev
Purl: pkg:npm/public

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-8p5p-ff7x-hw7q/GHSA-8p5p-ff7x-hw7q.json"