CVE-2019-15782

Name of the Vulnerable Software and Affected Versions WebTorrent versions prior to 0.107.6

Description The issue allows for Cross-Site Scripting (XSS) in the HTTP server of WebTorrent. This occurs because webtorrent servers, started with torrent.createServer(), list a torrent's title and files in the index page without proper sanitization. As a result, attackers can execute arbitrary JavaScript in the victim's browser by using files with names that contain malicious payloads. However, the impact is somewhat mitigated since the server only allows fetching data pieces from the torrent.

Recommendations Upgrade to version 0.107.6 or later.