{"id":"UBUNTU-CVE-2017-18635","details":"An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.","modified":"2026-01-30T01:49:51.486063Z","published":"2019-09-25T23:15:00Z","related":["USN-4522-1"],"upstream":["CVE-2017-18635"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-18635"},{"type":"REPORT","url":"https://bugs.launchpad.net/horizon/+bug/1656435"},{"type":"REPORT","url":"https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534"},{"type":"REPORT","url":"https://github.com/novnc/noVNC/issues/748"},{"type":"REPORT","url":"https://github.com/novnc/noVNC/releases/tag/v0.6.2"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4522-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-18635"}],"affected":[{"package":{"name":"novnc","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/novnc@1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1"}]}],"versions":["1:0.4+dfsg+1+20131010+gitf68af8af3d-4"],"ecosystem_specific":{"binaries":[{"binary_version":"1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1","binary_name":"novnc"},{"binary_version":"1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1","binary_name":"python-novnc"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-18635.json"}},{"package":{"name":"novnc","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/novnc@1:0.4+dfsg+1+20131010+gitf68af8af3d-7?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:0.4+dfsg+1+20131010+gitf68af8af3d-6","1:0.4+dfsg+1+20131010+gitf68af8af3d-7"],"ecosystem_specific":{"binaries":[{"binary_version":"1:0.4+dfsg+1+20131010+gitf68af8af3d-7","binary_name":"novnc"},{"binary_version":"1:0.4+dfsg+1+20131010+gitf68af8af3d-7","binary_name":"python-novnc"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-18635.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}