GHSA-8C8C-4VFJ-RRPC
Vulnerability from github – Published: 2020-09-01 19:05 – Updated: 2022-03-04 22:02
VLAI?
Summary
Reflected Cross-Site Scripting in redis-commander
Details
Affected versions of redis-commander contain a cross-site scripting vulnerability in the highlighterId paramter of the clipboard.swf component on hosts serving Redis Commander.
Mitigating factors: Flash must be installed / enabled for this to work. The below proof of concept was verified to work using Firefox 57.0 on Windows 10 by manually installing the Flash NPAPI Windows plugin
Proof of concept
http://instance/jstree/_docs/syntax/clipboard.swf?highlighterId=\%22))}%20catch(e)%20{alert(document.domain);}//
Recommendation
No direct patch for this vulnerability is currently available.
At this time, the best mitigation is to use an alternative, functionally equivalent package, or to use extreme caution when using redis-commander, ensuring that redis-commmander is the only web page you have open, and avoiding clicking on any links.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "redis-commander"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
},
{
"fixed": "0.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:27:52Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Affected versions of `redis-commander` contain a cross-site scripting vulnerability in the `highlighterId` paramter of the clipboard.swf component on hosts serving Redis Commander.\n\nMitigating factors:\nFlash must be installed / enabled for this to work. The below proof of concept was verified to work using Firefox 57.0 on Windows 10 by manually installing the [Flash NPAPI Windows plugin](https://get.adobe.com/flashplayer/otherversions/)\n\n## Proof of concept\n\n```\nhttp://instance/jstree/_docs/syntax/clipboard.swf?highlighterId=\\%22))}%20catch(e)%20{alert(document.domain);}//\n```\n\n\n## Recommendation\n\nNo direct patch for this vulnerability is currently available.\n\nAt this time, the best mitigation is to use an alternative, functionally equivalent package, or to use extreme caution when using redis-commander, ensuring that redis-commmander is the only web page you have open, and avoiding clicking on any links.",
"id": "GHSA-8c8c-4vfj-rrpc",
"modified": "2022-03-04T22:02:50Z",
"published": "2020-09-01T19:05:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/joeferner/redis-commander/commit/1a483ebb3a706cf199dd283cf0aead96606adb14"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/296377"
},
{
"type": "PACKAGE",
"url": "https://github.com/joeferner/redis-commander"
},
{
"type": "WEB",
"url": "https://github.com/joeferner/redis-commander/releases/tag/v0.5.0"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/562"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Reflected Cross-Site Scripting in redis-commander"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…