CVE-2019-15138: Arbitrary File Read

September 20, 2019 (updated October 17, 2019)

The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server.

References

nvd.nist.gov/vuln/detail/CVE-2019-15138
www.npmjs.com/advisories/1095

Detect and mitigate CVE-2019-15138 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →