Multiple vulnerabilities in Viewer.js
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | N/A |
| CWE-ID | CWE-79 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
Viewer.js Web applications / Modules and components for CMS |
| Vendor | Fengyuan Chen |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU23457
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to a lack of escaping on user inputted html entities, such as "alt", "src" and "url". A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsViewer.js: 0.1.0 - 1.3.5
External linkshttp://snyk.io/vuln/SNYK-JS-VIEWERJS-536441
http://github.com/fengyuanchen/viewerjs/issues/269
http://github.com/fengyuanchen/viewerjs/commit/00771b70dde5cd07745dda30c445961e2d3e4289
http://github.com/fengyuanchen/viewerjs/commit/ddd0c3d515dd1d8ea3e0323f486fab7d2cd5631f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Cross-site scripting
EUVDB-ID: #VU23459
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the "org.webjars:viewerjs" due to a lack of escaping on user inputted html entities, such as "alt", "src" and "url". A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsViewer.js: 0.1.0 - 1.3.5
External linkshttp://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-536476
http://github.com/fengyuanchen/viewerjs/commit/00771b70dde5cd07745dda30c445961e2d3e4289
http://github.com/fengyuanchen/viewerjs/commit/ddd0c3d515dd1d8ea3e0323f486fab7d2cd5631f
http://github.com/fengyuanchen/viewerjs/issues/269
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Cross-site scripting
EUVDB-ID: #VU23458
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the "org.webjars.npm:viewerjs" due to a lack of escaping on user inputted html entities, such as "alt", "src" and "url". A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsViewer.js: 0.1.0 - 1.3.5
External linkshttp://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-536477
http://github.com/fengyuanchen/viewerjs/commit/00771b70dde5cd07745dda30c445961e2d3e4289
http://github.com/fengyuanchen/viewerjs/commit/ddd0c3d515dd1d8ea3e0323f486fab7d2cd5631f
http://github.com/fengyuanchen/viewerjs/issues/269
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
