Skip to content

[Fixed] XSS Vulnerability in noVNC #748

Closed
@DirectXMan12

Description

@DirectXMan12

An XSS vulnerability was discovered in noVNC in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

This affects users of vnc_auto.html and vnc.html, as well as any users of include/ui.js.

Thanks to David Wyde of Cisco for reporting the issue.

This was fixed in noVNC v0.6.2, as well as 6048299

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions