Skip to content

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and Improper Encoding or Escaping of Output in frontend/server/server.js

Moderate
TekMonksGitHub published GHSA-hcpx-66hq-7g4x Jul 31, 2021

Package

frontend/server/server.js (Frontend HTTP Server)

Affected versions

2.90

Patched versions

2.95

Description

Impact

Reflected cross-site scripting vulnerability in frontend HTTP server. The attacker can send in a carefully crafted URL along with a known bug in the server which will cause a 500 error, and the response will then embed the URL provided by the hacker.

The impact is moderate as the hacker must also be able to craft an HTTP request which should cause a 500 server error. None such requests are known as this point.

Patches

Anyone on Version 2.90 must upgrade to Version 2.95.
Link to the release -> https://github.com/TekMonksGitHub/monkshu/releases/tag/v2.95

Workarounds

Use disk caching plugin

References

Common Weakness Enumeration: CWE-79. https://cwe.mitre.org/data/definitions/79.html
Common Weakness Enumeration: CWE-116. https://cwe.mitre.org/data/definitions/116.html

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2021-32812