Bug 1152255 (CVE-2017-18635)

Summary: VUL-0: CVE-2017-18635: novnc: XSS vulnerability via malicious VNC server which could inject arbitrary HTML into the noVNC web page
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: kberger, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/243315/
Whiteboard: CVSSv3:SUSE:CVE-2017-18635:5.4:(AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Keith Berger 2020-06-02 15:01:17 UTC
This does not apply to SOC 9/8/7 as they are all using version 1.0 or newer

https://build.suse.de/package/show/Devel:Cloud:9/novnc
https://build.suse.de/package/show/Devel:Cloud:8/novnc
https://build.suse.de/package/show/Devel:Cloud:7/novnc

Security, please verify and close.
Comment 2 Marcus Meissner 2020-06-19 09:38:31 UTC
confirmed, closing