How severe is CVE-2018-12123?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.3 out of 10.

What type of vulnerability is CVE-2018-12123?

This is classified as CWE-115, which is a common weakness in software security.

CVE-2018-12123 - MEDIUM Severity | CVSS 4.3

Vulnerability Description

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

Related Vulnerabilities

CVE-2021-21366

MEDIUM

CVSS:4.3(Medium)

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespac...

CWE-1152021

CVE-2023-0880

MEDIUM

CVSS:4.3(Medium)

Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

CWE-1152023

CVE-2025-22870

MEDIUM

CVSS:4.4(Medium)

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1...

CWE-1152025

CVE-2023-32228

MEDIUM

CVSS:4.6(Medium)

A firmware bug which may lead to misinterpretation of data in the AMC2-4WCF and AMC2-2WCF allowing an adversary to grant access to the last authorized user.

CWE-1152023

CVE-2018-7159

MEDIUM

CVSS:5.3(Medium)

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP spe...

CWE-1152018

CVE-2020-29509

MEDIUM

CVSS:5.6(Medium)

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that b...

CWE-1152020