{"id":"CVE-2017-16018","details":"Restify is a framework for building REST APIs. Restify \u003e=2.0.0 \u003c=4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers.","aliases":["GHSA-qw3g-35hc-fcrh"],"modified":"2026-03-13T23:35:05.680844Z","published":"2018-06-04T19:29:01.147Z","references":[{"type":"REPORT","url":"https://github.com/restify/node-restify/issues/1018"},{"type":"EVIDENCE","url":"https://nodesecurity.io/advisories/314"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/restify/node-restify","events":[{"introduced":"7a010b38bbcedc2e5f68d2d4ad81471a55aa93f3"},{"last_affected":"c64489e6c7b274848817188ac2448a3efd51b1eb"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"last_affected":"4.0.4"}]}}],"versions":["3.0.0","3.0.2","v2.0.0","v2.0.1","v2.0.2","v2.0.4","v2.1.0","v2.1.1","v2.2.0","v2.2.1","v2.3.0","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.4.0","v2.4.1","v2.5.0","v2.6.1","v2.6.2","v2.6.3","v2.7.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v2.9.0","v3.0.1","v3.0.3","v4.0.0","v4.0.3","v4.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16018.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}