CVE-2017-18635
Description
An XSS vulnerability in noVNC before 0.6.2 allows a malicious VNC server to inject arbitrary HTML into the noVNC web page via the status field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in noVNC before 0.6.2 allows a malicious VNC server to inject arbitrary HTML into the noVNC web page via the status field.
An XSS vulnerability was discovered in noVNC versions prior to 0.6.2, where the remote VNC server could inject arbitrary HTML into the noVNC web page via messages propagated to the status field, such as the VNC server name [1][4]. This is a classic DOM-based cross-site scripting flaw.
The attack surface involves an attacker controlling a VNC server that the victim connects to via noVNC. The victim's browser then executes the injected HTML/JavaScript without requiring any authentication from the attacker. In OpenStack deployments, the console feature uses noVNC, and even fully-updated OpenStack installations may remain vulnerable if the bundled noVNC component is not updated separately [3].
Impact: An attacker can execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, performing actions as the user, or defacing the page. The full impact depends on the context of the noVNC deployment [3].
Mitigation: The vulnerability was fixed in noVNC version 0.6.2, which replaced innerHTML with textContent to prevent HTML injection [3]. All users should upgrade to noVNC 0.6.2 or later. OpenStack administrators should ensure the noVNC component is updated to the patched version [3]. The vulnerability is listed on Snyk as SNYK-JS-NOVNCNOVNC-469136 [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@novnc/novncnpm | < 0.6.2 | 0.6.2 |
Affected products
2- noVNC/noVNCdescription
Patches
16048299a138eUse textContent instead of innerHTML
5 files changed · +16 −12
app/ui.js+4 −4 modified@@ -48,7 +48,7 @@ var UI; document.getElementById('noVNC_fallback_error') .classList.add("noVNC_open"); - document.getElementById('noVNC_fallback_errormsg').innerHTML = msg; + document.getElementById('noVNC_fallback_errormsg').textContent = msg; } catch (exc) { document.write("noVNC encountered an error."); } @@ -416,7 +416,7 @@ var UI; switch (state) { case 'connecting': - document.getElementById("noVNC_transition_text").innerHTML = _("Connecting..."); + document.getElementById("noVNC_transition_text").textContent = _("Connecting..."); document.documentElement.classList.add("noVNC_connecting"); break; case 'connected': @@ -431,7 +431,7 @@ var UI; break; case 'disconnecting': UI.connected = false; - document.getElementById("noVNC_transition_text").innerHTML = _("Disconnecting..."); + document.getElementById("noVNC_transition_text").textContent = _("Disconnecting..."); document.documentElement.classList.add("noVNC_disconnecting"); break; case 'disconnected': @@ -531,7 +531,7 @@ var UI; break; } - statusElem.innerHTML = text; + statusElem.textContent = text; statusElem.classList.add("noVNC_open"); // If no time was specified, show the status for 1.5 seconds
tests/input.html+1 −1 modified@@ -45,7 +45,7 @@ function message(str) { console.log(str); cell = document.getElementById('messages'); - cell.innerHTML += msg_cnt + ": " + str + newline; + cell.textContent += msg_cnt + ": " + str + newline; cell.scrollTop = cell.scrollHeight; msg_cnt++; }
tests/vnc_perf.html+2 −2 modified@@ -65,7 +65,7 @@ function msg(str) { console.log(str); var cell = document.getElementById('messages'); - cell.innerHTML += str + "\n"; + cell.textContent += str + "\n"; cell.scrollTop = cell.scrollHeight; } function dbgmsg(str) { @@ -85,7 +85,7 @@ } notification = function (rfb, mesg, level, options) { - document.getElementById('VNC_status').innerHTML = mesg; + document.getElementById('VNC_status').textContent = mesg; } function do_test() {
tests/vnc_playback.html+2 −2 modified@@ -49,7 +49,7 @@ function message(str) { console.log(str); var cell = document.getElementById('messages'); - cell.innerHTML += str + "\n"; + cell.textContent += str + "\n"; cell.scrollTop = cell.scrollHeight; } @@ -76,7 +76,7 @@ } notification = function (rfb, mesg, level, options) { - document.getElementById('VNC_status').innerHTML = mesg; + document.getElementById('VNC_status').textContent = mesg; } function start() {
vnc_auto.html+7 −3 modified@@ -111,10 +111,14 @@ var html; html = '<form onsubmit="return setPassword();"'; html += ' style="margin-bottom: 0px">'; - html += msg; + html += '<label></label>' html += '<input type=password size=10 id="password_input" class="noVNC_status">'; html += '<\/form>'; - status(html, "warn"); + + // bypass status() because it sets text content + document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_warn"); + document.getElementById('noVNC_status').innerHTML = html; + document.getElementById('noVNC_status').querySelector('label').textContent = msg; } function setPassword() { rfb.sendPassword(document.getElementById('password_input').value); @@ -146,7 +150,7 @@ level = "warn"; } document.getElementById('noVNC_status_bar').setAttribute("class", "noVNC_status_" + level); - document.getElementById('noVNC_status').innerHTML = text; + document.getElementById('noVNC_status').textContent = text; } function updateState(rfb, state, oldstate) { var cad = document.getElementById('sendCtrlAltDelButton');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- access.redhat.com/errata/RHSA-2020:0754ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-49rv-g7w5-m8xxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18635ghsaADVISORY
- usn.ubuntu.com/4522-1/mitrevendor-advisoryx_refsource_UBUNTU
- bugs.launchpad.net/horizon/+bug/1656435ghsax_refsource_MISCWEB
- github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13ghsax_refsource_MISCWEB
- github.com/novnc/noVNC/issues/748ghsax_refsource_MISCWEB
- github.com/novnc/noVNC/releases/tag/v0.6.2ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2019/10/msg00004.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2021/12/msg00024.htmlghsamailing-listx_refsource_MLISTWEB
- snyk.io/vuln/SNYK-JS-NOVNCNOVNC-469136ghsaWEB
- usn.ubuntu.com/4522-1ghsaWEB
- www.npmjs.com/advisories/1204ghsaWEB
- www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstackghsaWEB
- www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.