CVE-2018-3748
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.
Existe una vulnerabilidad Cross-Site Scripting (XSS) persistente en el módulo glance node en versiones 3.0.5 y anteriores. El nombre de archivo, que contiene código HTML malicioso (por ejemplo, un elemento iframe o un manipulador de pseudoprotocolos javascript: en un elemento <a rel="nofollow">) permite que se ejecute código JavaScript contra cualquier usuario que abra un listado de directorios que contenga dicho nombre de archivo manipulado.</a>
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-28 CVE Reserved
- 2018-07-03 CVE Published
- 2024-04-02 EPSS Updated
- 2024-09-17 CVE Updated
- 2024-09-17 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://hackerone.com/reports/310133 | 2024-09-17 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Glance Project Search vendor "Glance Project" | Glance Search vendor "Glance Project" for product "Glance" | 3.0.5 Search vendor "Glance Project" for product "Glance" and version "3.0.5" | node.js |
Affected
|