{"id":"CVE-2017-18635","details":"An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.","aliases":["GHSA-49rv-g7w5-m8xx"],"modified":"2026-04-16T04:42:53.145272294Z","published":"2019-09-25T23:15:09.937Z","references":[{"type":"ADVISORY","url":"https://github.com/novnc/noVNC/releases/tag/v0.6.2"},{"type":"ADVISORY","url":"https://github.com/ShielderSec/cve-2017-18635"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00004.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00024.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4522-1/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0754"},{"type":"REPORT","url":"https://bugs.launchpad.net/horizon/+bug/1656435"},{"type":"FIX","url":"https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534"},{"type":"FIX","url":"https://github.com/novnc/noVNC/issues/748"},{"type":"EVIDENCE","url":"https://www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/novnc/novnc","events":[{"introduced":"0"},{"fixed":"e8986fa0692705fa890aed02e08b6844e535eb06"},{"fixed":"6048299a138e078aed210f163111698c8c526a13"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.6.2"}]}}],"versions":["v0.1","v0.2","v0.3","v0.4","v0.5","v0.5.1","v0.6.0","v0.6.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"13"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18635.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}