GHSA-8c8c-4vfj-rrpc

Source

https://github.com/advisories/GHSA-8c8c-4vfj-rrpc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8c8c-4vfj-rrpc/GHSA-8c8c-4vfj-rrpc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8c8c-4vfj-rrpc

Published

2020-09-01T19:05:11Z

Modified

2022-03-04T22:02:50Z

Summary

Reflected Cross-Site Scripting in redis-commander

Details

Affected versions of redis-commander contain a cross-site scripting vulnerability in the highlighterId paramter of the clipboard.swf component on hosts serving Redis Commander.

Mitigating factors: Flash must be installed / enabled for this to work. The below proof of concept was verified to work using Firefox 57.0 on Windows 10 by manually installing the Flash NPAPI Windows plugin

Proof of concept

http://instance/jstree/_docs/syntax/clipboard.swf?highlighterId=\%22))}%20catch(e)%20{alert(document.domain);}//

Recommendation

No direct patch for this vulnerability is currently available.

At this time, the best mitigation is to use an alternative, functionally equivalent package, or to use extreme caution when using redis-commander, ensuring that redis-commmander is the only web page you have open, and avoiding clicking on any links.

Database specific

{
    "github_reviewed_at": "2020-08-31T18:27:52Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": null,
    "severity": "LOW"
}

References

Affected packages

npm / redis-commander

Package

Name: redis-commander; View open source insights on deps.dev
Purl: pkg:npm/redis-commander

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0

Fixed

0.5.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8c8c-4vfj-rrpc/GHSA-8c8c-4vfj-rrpc.json"