Exploiting an old noVNC XSS (CVE-2017-18635) in OpenStack

TL;DR: noVNC had a DOM-based XSS that allowed attackers to use a malicious VNCserver to inject JavaScript code inside the web page.As OpenStack uses noVNC and its patching system doesn’t update third parties’ software, fully-updated OpenStack installations may still be vulnerable.