An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name. Reference: https://github.com/novnc/noVNC/issues/748 Upstream commit: https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534
Created novnc tracking bugs for this issue: Affects: epel-all [bug 1765662] Affects: fedora-all [bug 1765661] Affects: openstack-rdo [bug 1765663]
External References: https://github.com/novnc/noVNC/releases/tag/v0.6.2
Mitigation: There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:0754 https://access.redhat.com/errata/RHSA-2020:0754
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-18635
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247