Severity: moderate

    Cross-Site Scripting

    verdaccio

    Overview

    Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Links for the packages homepage are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution.

    Remediation

    Upgrade to version 3.12.0 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      May 27th, 2019
    2. reported

      Reported by Adam Baldwin
      May 1st, 2019