[NPM:GHSA-5H5V-HW44-F6GG] Oceanic allows unsanitized user input to lead to path traversal in URLs
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Impact
Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.
Workarounds
- Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
- Encoding input with
encodeURIComponentbefore providing it to the library.
References
OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
| Package | Affected Version |
|---|---|
 pkg:npm/oceanic.js
|
< 1.10.4 |
| Package | Fixed Version |
|---|---|
|
pkg:npm/oceanic.js
|
= 1.10.4 |
- ID
- NPM:GHSA-5H5V-HW44-F6GG
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-5h5v-hw44-f6gg
- Published
-
2024-05-14T20:13:58
(2 months ago) - Modified
-
2024-05-14T20:14:00
(2 months ago) - Rights
- NPM Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:npm/oceanic.js |
oceanic.js
|
< 1.10.4 | ||||
| Fixed | pkg:npm/oceanic.js |
oceanic.js
|
= 1.10.4 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |