{"id":"USN-4522-1","summary":"novnc vulnerability","details":"It was discovered that noVNC did not properly manage certain messages, \nresulting in the remote VNC server injecting arbitrary HTML into the\nnoVNC web page. An attacker could use this issue to conduct cross-site \nscripting (XSS) attacks. (CVE-2017-18635)\n","modified":"2026-02-10T04:41:55Z","published":"2020-09-21T18:50:17Z","related":["UBUNTU-CVE-2017-18635"],"upstream":["CVE-2017-18635","UBUNTU-CVE-2017-18635"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4522-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-18635"}],"affected":[{"package":{"name":"novnc","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/novnc@1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1"}]}],"versions":["1:0.4+dfsg+1+20131010+gitf68af8af3d-4"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1","binary_name":"novnc"},{"binary_version":"1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1","binary_name":"python-novnc"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4522-1.json","cves_map":{"ecosystem":"Ubuntu:16.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-18635"}]}}}],"schema_version":"1.7.3"}