CVE-2018-12123

MEDIUM

Node.js <6.15.0, 8.14.0, 10.14.0, 11.3.0 - Info Disclosure

Title source: llm

Description

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

References (4)

Core 4

Core References

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241213-0008/

Patch, Vendor Advisory x_refsource_confirm

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1821

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202003-48

Scores

CVSS v3 4.3

EPSS 0.0394

EPSS Percentile 88.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-115 CWE-20

Status published

Products (2)

nodejs/node.js 11.0.0 - 11.3.0

nodejs/node.js 6.0.0 - 6.15.0

Published Nov 28, 2018

Tracked Since Feb 18, 2026