Skip to content

Reflected Cross-Site Scripting in redis-commander

Low severity GitHub Reviewed Published Sep 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm redis-commander (npm)

Affected versions

>= 0.0.0, < 0.5.0

Patched versions

0.5.0

Description

Affected versions of redis-commander contain a cross-site scripting vulnerability in the highlighterId paramter of the clipboard.swf component on hosts serving Redis Commander.

Mitigating factors:
Flash must be installed / enabled for this to work. The below proof of concept was verified to work using Firefox 57.0 on Windows 10 by manually installing the Flash NPAPI Windows plugin

Proof of concept

http://instance/jstree/_docs/syntax/clipboard.swf?highlighterId=\%22))}%20catch(e)%20{alert(document.domain);}//

Recommendation

No direct patch for this vulnerability is currently available.

At this time, the best mitigation is to use an alternative, functionally equivalent package, or to use extreme caution when using redis-commander, ensuring that redis-commmander is the only web page you have open, and avoiding clicking on any links.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 1, 2020
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8c8c-4vfj-rrpc

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.