CVEs-PoC/2018/CVE-2018-12123.md

### [CVE-2018-12123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12123)
![](https://img.shields.io/static/v1?label=Product&message=Node.js&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-115%3A%20Misinterpretation%20of%20Input&color=brighgreen)

### Description

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon