CVE-2017-18635

Name of the Vulnerable Software and Affected Versions noVNC versions prior to 0.6.2

Description A Cross-Site Scripting (XSS) issue was discovered in noVNC, where a remote VNC server could inject arbitrary HTML into the noVNC web page via messages propagated to the status field, such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. The issue affects users of include/ui.js and users of vnc auto.html and vnc.html.

Recommendations Upgrade to version 0.6.2 or later. As a temporary workaround, consider restricting input from the remote VNC server to minimize the risk of exploitation. Avoid using the VNC server name variable in the affected noVNC web page until the issue is resolved.