PT-2019-13824 · Verdaccio · Verdaccio

Evilpacket

Published

2019-05-29

Updated

2019-08-13

CVE-2019-14772

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions verdaccio versions prior to 3.12.0

Description The issue is a Cross-Site Scripting (XSS) vulnerability, where malicious packages with JavaScript content can be executed in the User Interface, potentially stealing user credentials.

Recommendations For versions prior to 3.12.0, upgrade to version 3.12.0 or later, or migrate to a major version 4.0.0 or later to fix the issue. At the moment, there is no workaround available without upgrading.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-14772

GHSA-78J5-GCMF-VQC8

Affected Products

Verdaccio

PT-2019-13824 · Verdaccio · Verdaccio

CVE-2019-14772

Weakness Enumeration

Related Identifiers

Affected Products

References · 7