Home > Vulnerability Database > WS-2020-0443

Mend.io Vulnerability Database

WS-2020-0443

Good to know:

Date: February 20, 2020

In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".

Language: JS

Severity Score

8.1

Related Resources (2)

Url: https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7

Url: https://www.mend.io/vulnerability-database/WS-2020-0443

Severity Score

8.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version AutoDomain.Modules.Core - no_fix;pterodactyl/panel - dev-fix/forgev2;pterodactyl/panel - no_fix;pterodactyl/panel - dev-dane/type-cleanup;pterodactyl/panel - dev-eggs/rust;pterodactyl/panel - dev-dane/laravel-9;pterodactyl/panel - dev-dane/sanctum;pterodactyl/panel - v0.1.0-beta;pterodactyl/panel - dev-matthewpi/database-tls;pterodactyl/panel - dev-fix/forge;pterodactyl/panel - dev-issue/3535;pterodactyl/panel - dev-softwarenoob/remove-ga;pterodactyl/panel - dev-actions/tests-patch-1;pterodactyl/panel - dev-dane/fiddle-with-new-tables;pterodactyl/panel - dev-softwarenoob/docker-arm64;pterodactyl/panel - dev-feature/react-admin;sroehrl/neoan-php - no_fix;sroehrl/neoan-php - v2.0.1-beta;kriss/yii2-web-msg-sender - v1.1;narirock/marrs-catalog - no_fix;Apace - no_fix;socket.io - 2.4.0;rotary/rotary_bs4 - no_fix;sombrerodepaja/franky-skeleton-application - no_fix;sombrerodepaja/franky-skeleton-application - dev-dev;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/browserslist-4.17.0;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/path-parse-1.0.7;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/y18n-3.2.2;flexxia/flexprimeng - dev-dependabot/npm_and_yarn/css/postcss/ini-1.3.8;yanev/laraadmin - no_fix;novosga/novosga - v2.1.0;novosga/novosga - dev-dependabot/composer/twig/twig-2.14.11;novosga/novosga - v2.0.0-RC1;novosga/novosga - v2.0.7;novosga/novosga - dev-dependabot/composer/symfony/serializer-4.4.35;novosga/novosga - v2.0.1;novosga/novosga - v2.1.1;novosga/novosga - v0.5.1;novosga/novosga - dev-dependabot/composer/twig/twig-3.14.0;electrscash - 1.1.1;nextqs/php-socket-io-event-emitter - no_fix;johnrazeur/php-socket-io-event-emitter - v1.0.0;mpcmf/mpcmf-web-app - 1.0.0.x-dev;mpcmf/mpcmf-web-app - no_fix;bobzhai/fourbrother - no_fix;ksaitechnologies/yii2-app-kernel - v1.0.2;ksaitechnologies/yii2-app-kernel - dev-master;tianfuunion/mark-resources - no_fix;mmi/mmi-cms - 2.3.1;jagermesh/bright - v2.0.12;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/decode-uri-component-0.2.2;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/path-parse-1.0.7;scancode/portal-module - v1.0.12;oceancodex/wpsp - 7.4.0;oceancodex/wpsp - 8.2.1;oceancodex/wpsp - 8.1.1;oceancodex/wpsp - 8.0.1;yewei-cao/noodle - dev-dependabot/npm_and_yarn/y18n-3.2.2;yewei-cao/noodle - v0.03;yewei-cao/noodle - dev-feature/admin;yewei-cao/noodle - v0.0.31;pusaka3/framework - no_fix;anupsathya/umd_bootstrap_sass - no_fix;panda-coder/phpanda - dev-oldMaster;PWPTemplateCMS - no_fix;frankyframework/franky2 - no_fix;bobzhai/apps - no_fix;blenderdeluxe/chat - no_fix;simplefile123 - no_fix;dotnetng.template - 1.0.0.4;NewPlatform.Flexberry.Designer.EmberCache - no_fix;originalsystems/yii2-app-kernel - v1.0.2;originalsystems/yii2-app-kernel - dev-master;mriso_dev/nodejschat - no_fix;foodsharing/foodsharing - no_fix;Sheelersoft.AngularTemplate - no_fix;AutoDomain.Modules.Core.Blazor - 4.1.205;KarmaNodeModules - no_fix;chrisbraybrooke/laravel-ecommerce - 0.0.2;chrisbraybrooke/laravel-ecommerce - 0.0.17;chrisbraybrooke/laravel-ecommerce - 0.0.56;chrisbraybrooke/laravel-ecommerce - dev-form-field-key;wangliang/laravel-admin - no_fix;dickyermawan/yii2-socketio - no_fix;dwij/laraadmin - 1.0.1;bobzhai/cbsms - no_fix;originalsystems/yii2-app-template - v0.2.4;touskar/php-socket-io-event-emitter - no_fix;zhangjf108/php-framework-application - no_fix;NorDroN.AngularTemplate - 0.1.6;grandchef/php-socket-io-event-emitter - no_fix;Sheeler.AngularTemplate - no_fix;scnu-socoding/scnuoj - no_fix;xlabs/notifybundle - no_fix;mahendraempyreal/emp-chat - 1.0.0;mahendraempyreal/emp-chat - no_fix;quarto - 1.2.335;efecanaltay/hello-world - no_fix;pwptemplatepusintek - no_fix;MIDIator.WebClient - 1.0.105;jsdom - 11.11.0;dgenies - no_fix;s00d/redis-web - 0.1.1;ristorantino/aditions - dev-master-ko-js-update;basic-builder/easybuilder-bundle - v0.0.3;socieboy/chat - no_fix;org.webjars.bower:socket.io-client:2.0.3;org.webjars:browser-sync:no_fix;org.webjars.bower:socket.io:2.0.3;org.webjars.npm:socket.io-client:4.5.0;org.webjars.npm:socket.io:3.0.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2020-0443

Good to know:

Date: February 20, 2020

Language: JS

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?