CVE-2019-15479
Description
Status Board 1.1.81 contains a reflected cross-site scripting (XSS) vulnerability in the dashboard.ts file, allowing injection of arbitrary JavaScript via a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Status Board 1.1.81 contains a reflected cross-site scripting (XSS) vulnerability in the dashboard.ts file, allowing injection of arbitrary JavaScript via a crafted request.
Vulnerability
Details
Status Board 1.1.81, a Node.js-based dashboard framework forked from Atlasboard, contains a reflected cross-site scripting (XSS) flaw in the dashboard.ts endpoint [1]. The vulnerability stems from insufficient input sanitization, where user-supplied data is reflected directly back to the user without proper encoding, enabling the injection of malicious scripts into the page context [2].
Exploitation
An attacker can exploit this by crafting a URL with a malicious payload, such as a ` tag, within the query string or other request parameters passed to dashboard.ts`. When the victim visits the crafted URL, the injected script is executed in their browser within the context of the dashboard application. No authentication is required, as the attack relies on the user simply opening the malicious link [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft, defacement, or redirection to malicious sites. The injected script gains access to the same origin as the vulnerable application, bypassing the browser's Same-Origin Policy [2].
Mitigation
The vulnerability was fixed in a commit merged into the master branch [1]. However, as of the publication date, no official patched release was published to the npm registry, meaning users must manually apply the fix or update from the repository [2]. Organizations still running version 1.1.81 or earlier should immediately update their codebase to the latest commit or apply the patch from the referenced pull request [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
status-boardnpm | < 1.1.82 | 1.1.82 |
Affected products
2- Status Board/Status Boarddescription
Patches
1191066178654Update dashboard.ts
1 file changed · +1 −2
src/webapp/routes/dashboard.ts+1 −2 modified@@ -87,8 +87,7 @@ export function renderDashboard(packagesPath: any, if (error || !dashboardPath) { const statusCode = error ? 400 : 404; const errorMessage = ` - Trying to render the dashboard '${safeDashboardName}', but couldn't find a valid dashboard - with that name. If the dashboard exists, is it a valid json file? Please check the console + Unable to find requested dashboard. If the dashboard exists, is it a valid json file? Please check the console for error messages. `; return response.status(statusCode).send(error ? error : errorMessage);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8864-rhmw-5m6fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15479ghsaADVISORY
- github.com/jameswlane/status-board/pull/948ghsax_refsource_MISCWEB
- github.com/status-board/status-board/commit/19106617865406aa6f8edec036dcb1db427d5f71ghsaWEB
- snyk.io/vuln/SNYK-JS-STATUSBOARD-460295ghsaWEB
News mentions
0No linked articles in our index yet.