Skip to content

Cross-Site Scripting in @hapi/boom

Moderate severity GitHub Reviewed Published Sep 4, 2020 to the GitHub Advisory Database • Updated Oct 2, 2023

Package

npm @hapi/boom (npm)

Affected versions

< 0.3.8

Patched versions

0.3.8

Description

Versions of @hapi/boom prior to 0.3.8 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 0.3.8 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 4, 2020
Last updated Oct 2, 2023

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-2ggq-vfcp-gwhj

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.