Remote Code Execution

Affecting xterm package, versions >=3.8.0 <3.8.1 || >=3.9.0 <3.9.2 || >=3.10.0 <3.10.1

Overview

xterm is a front-end component written in TypeScript that lets applications bring fully-featured terminals to their users in the browser. It's used by popular projects such as VS Code, Hyper and Theia.

Affected versions of this package are vulnerable to Remote Code Execution due to mishandling of the component special characters.

Remediation

Upgrade xterm to version 3.8.1, 3.9.2, 3.10.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O
Credit
Felix Wilhelm
CVE
CVE-2019-0542
CWE
CWE-94
Snyk ID
SNYK-JS-XTERM-73496
Disclosed
09 Jan, 2019
Published
10 Jan, 2019