medis@0.2.0 vulnerabilities

GUI for Redis

Direct Vulnerabilities

Known vulnerabilities in the medis package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

medis is a Mac database management application for Redis.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks which can lead to code execution due to an enabled node integration. When a victim synchronizes data from the redis server, an attack may occur if the server contains a malicious key value.

PoC by silvia vali:

If an attacker provides the following as a key:

<s <onmouseover="alert(1)"> <s onmouseover="var {shell} = require('electron'); shell.openExternal('file:/etc/passwd'); alert('XSS to RCE')">Hallo</s>

If the user now hovers over the key name, the payload will be executed when the user hovers over the key name. An alert box will pop up and open the /etc/passwd file from the user’s machine.

How to fix Cross-site Scripting (XSS)?

There is no fix version for medis.

*
  • M
Cross-site Scripting (XSS)

medis is a Mac database management application for Redis.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks which can lead to code execution due to an enabled node integration. When a victim synchronizes data from the redis server, an attack may occur if the server contains a malicious key value.

PoC by silvia vali:

If an attacker provides the following as a key:

<s <onmouseover="alert(1)"> <s onmouseover="var {shell} = require('electron'); shell.openExternal('file:/etc/passwd'); alert('XSS to RCE')">Hallo</s>

If the user now hovers over the key name, the payload will be executed when the user hovers over the key name. An alert box will pop up and open the /etc/passwd file from the user’s machine.

How to fix Cross-site Scripting (XSS)?

There is no fix version for medis.

*