CVE-2017-18635 — Vulnetix

Try Vulnetix Request Demo

CVE-2017-18635 PUBLISHED

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

EPSS 8.31% · 92.2th percentile

Risk Scores

EPSS Score

8.31%

92.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	novnc	0, 1:0.4+dfsg+1+20131010+gitf68af8af3d-6, 1:0.4+dfsg+1+20131010+gitf68af8af3d-7
Ubuntu:16.04:LTS	novnc	0, 1:0.4+dfsg+1+20131010+gitf68af8af3d-4

Timeline

Sep 25, 2019 CVE Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Aug 5, 2024 CVE Updated
Mar 19, 2025 EPSS Score
Mar 20, 2025 EPSS Score
Mar 28, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Apr 6, 2025 EPSS Score
Apr 18, 2025 EPSS Score
May 30, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2017-18635 third-party-advisory
https://bugs.launchpad.net/horizon/+bug/1656435 third-party-advisory
https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534 third-party-advisory
https://github.com/novnc/noVNC/issues/748 third-party-advisory
https://github.com/novnc/noVNC/releases/tag/v0.6.2 third-party-advisory
https://ubuntu.com/security/notices/USN-4522-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2017-18635 third-party-advisory

Open in Interactive Console →