[NPM:GHSA-5H5V-HW44-F6GG] Oceanic allows unsanitized user input to lead to path traversal in URLs
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Impact
Input to functions such as Client.rest.channels.removeBan
is not url-encoded, resulting in specially crafted input such as ../../../channels/{id}
being normalized into the url /api/v10/channels/{id}
, and deleting a channel rather than removing a ban.
Workarounds
- Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
- Encoding input with
encodeURIComponent
before providing it to the library.
References
OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
Package | Affected Version |
---|---|
pkg:npm/oceanic.js | < 1.10.4 |
Package | Fixed Version |
---|---|
pkg:npm/oceanic.js | = 1.10.4 |
- ID
- NPM:GHSA-5H5V-HW44-F6GG
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-5h5v-hw44-f6gg
- Published
-
2024-05-14T20:13:58
(4 months ago) - Modified
-
2024-05-14T20:14:00
(4 months ago) - Rights
- NPM Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:npm/oceanic.js | oceanic.js | < 1.10.4 | ||||
Fixed | pkg:npm/oceanic.js | oceanic.js | = 1.10.4 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |