{ "retire-example": { "vulnerabilities" : [ { "below" : "0.0.2", "severity" : "low", "identifiers" : { "CVE" : [ "CVE-XXXX-XXXX" ], "bug" : "1234", "summary" : "bug summary" }, "info" : [ "http://github.com/eoftedal/retire.js/" ] } ], "extractors" : { "func" : [ "retire.VERSION" ], "filename" : [ "retire-example-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "/\\*!? Retire-example v(§§version§§)" ], "hashes" : { "07f8b94c8d601a24a1914a1a92bec0e4fafda964" : "0.0.1" } } }, "jquery": { "bowername": [ "jQuery" ], "vulnerabilities" : [ { "below" : "1.6.3", "severity" : "medium", "identifiers" : { "CVE": [ "CVE-2011-4969" ], "summary": "XSS with location.hash" }, "info" : [ "https://nvd.nist.gov/vuln/detail/CVE-2011-4969" , "http://research.insecurelabs.org/jquery/test/", "https://bugs.jquery.com/ticket/9521" ] }, { "below" : "1.9.0b1", "identifiers": { "CVE" : [ "CVE-2012-6708" ], "bug": "11290", "summary": "Selector interpreted as HTML" }, "severity": "medium", "info" : [ "http://bugs.jquery.com/ticket/11290" , "https://nvd.nist.gov/vuln/detail/CVE-2012-6708", "http://research.insecurelabs.org/jquery/test/" ] }, { "atOrAbove" : "1.4.0", "below" : "1.12.0", "identifiers": { "issue" : "2432", "summary": "3rd party CORS request may execute", "CVE": [ "CVE-2015-9251" ] }, "severity": "medium", "info" : [ "https://github.com/jquery/jquery/issues/2432", "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/" ] }, { "atOrAbove" : "1.12.3", "below" : "3.0.0-beta1", "identifiers": { "issue" : "2432", "summary": "3rd party CORS request may execute", "CVE": [ "CVE-2015-9251" ] }, "severity": "medium", "info" : [ "https://github.com/jquery/jquery/issues/2432", "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/" ] }, { "atOrAbove" : "1.8.0", "below" : "1.12.0", "identifiers": { "CVE" : [ "CVE-2015-9251" ], "issue" : "11974", "summary": "parseHTML() executes scripts in event handlers" }, "severity": "medium", "info" : [ "https://bugs.jquery.com/ticket/11974", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/" ] }, { "atOrAbove" : "1.12.2", "below" : "2.2.0", "identifiers": { "CVE" : [ "CVE-2015-9251" ], "issue" : "11974", "summary": "parseHTML() executes scripts in event handlers" }, "severity": "medium", "info" : [ "https://bugs.jquery.com/ticket/11974", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/" ] }, { "atOrAbove" : "2.2.2", "below" : "3.0.0", "identifiers": { "CVE" : [ "CVE-2015-9251" ], "issue" : "11974", "summary": "parseHTML() executes scripts in event handlers" }, "severity": "medium", "info" : [ "https://bugs.jquery.com/ticket/11974", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/" ] }, { "below" : "3.4.0", "identifiers": { "CVE" : [ "CVE-2019-11358" ], "summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution" }, "severity" : "medium", "info" : [ "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b" ] }, { "below" : "3.5.0", "identifiers": { "CVE": [ "CVE-2020-11022" ], "summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS" }, "severity" : "medium", "info" : [ "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" ] }, { "below" : "3.5.0", "identifiers": { "CVE": [ "CVE-2020-11023" ], "summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS" }, "severity" : "medium", "info" : [ "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" ] } ], "extractors" : { "func" : [ "(window.jQuery || window.$ || window.$jq || window.$j).fn.jquery", "require('jquery').fn.jquery" ], "uri" : [ "/(§§version§§)/jquery(\\.min)?\\.js" ], "filename" : [ "jquery-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "/\\*!? jQuery v(§§version§§)", "\\* jQuery JavaScript Library v(§§version§§)", "\\* jQuery (§§version§§) - New Wave Javascript", "// \\$Id: jquery.js,v (§§version§§)", "/\\*! jQuery v(§§version§§)", "[^a-z]f=\"(§§version§§)\",.*[^a-z]jquery:f,", "[^a-z]m=\"(§§version§§)\",.*[^a-z]jquery:m,", "[^a-z.]jquery:[ ]?\"(§§version§§)\"", "\\$\\.documentElement,Q=e.jQuery,Z=e\\.\\$,ee=\\{\\},te=\\[\\],ne=\"(§§version§§)\"" ], "filecontentreplace" : [ "/var [a-z]=[a-z]\\.document,([a-z])=\"(§§version§§)\",([a-z])=.{130,160};\\3\\.fn=\\3\\.prototype=\\{jquery:\\1/$2/" ], "hashes" : {} } }, "jquery-migrate" : { "vulnerabilities" : [ { "below" : "1.2.0", "severity": "medium", "identifiers": { "issue" : "36", "release": "jQuery Migrate 1.2.0 Released", "summary": "cross-site-scripting" }, "info" : [ "http://blog.jquery.com/2013/05/01/jquery-migrate-1-2-0-released/", "https://github.com/jquery/jquery-migrate/issues/36" ] }, { "below" : "1.2.2", "severity": "medium", "identifiers": { "bug": "11290", "summary": "Selector interpreted as HTML" }, "info" : [ "http://bugs.jquery.com/ticket/11290" , "http://research.insecurelabs.org/jquery/test/" ] } ], "extractors" : { "filename" : [ "jquery-migrate-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "/\\*!?(?:\n \\*)? jQuery Migrate(?: -)? v(§§version§§)" ], "hashes" : {} } }, "jquery-validation" : { "bowername": [ "jquery-validation" ], "vulnerabilities" : [ { "below": "1.19.5", "severity" : "medium", "identifiers" : { "CVE" : [ "CVE-2022-31147" ], "summary" : "ReDoS vulnerability in url and URL2 validation" }, "info" : [ "https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd", "https://github.com/advisories/GHSA-ffmh-x56j-9rc3" ] }, { "below": "1.19.4", "severity" : "medium", "identifiers" : { "CVE" : [ "CVE-2021-43306" ], "issue": "2428", "summary" : "ReDoS vulnerability in URL2 validation" }, "info" : [ "https://github.com/jquery-validation/jquery-validation/blob/master/changelog.md#1194--2022-05-19" ] }, { "below": "1.19.3", "severity" : "medium", "identifiers" : { "CVE" : [ "CVE-2021-21252" ], "summary" : "Regular Expression Denial of Service vulnerability" }, "info" : [ "https://github.com/jquery-validation/jquery-validation/blob/master/changelog.md#1193--2021-01-09" ] } ], "extractors" : { "func" : [ "jQuery.validation.version" ], "filename" : [ "jquery.validat(?:ion|e)-(§§version§§)(.min)?\\.js" ], "uri" : [ "/(§§version§§)/jquery.validat(ion|e)(\\.min)?\\.js", "/jquery-validation@(§§version§§)/dist/.*\\.js" ], "filecontent" : [ "/\\*!?(?:\n \\*)?[\\s]*jQuery Validation Plugin -? ?v(§§version§§)", "Original file: /npm/jquery-validation@(§§version§§)/dist/jquery.validate.js" ], "hashes" : {} } }, "jquery-mobile" : { "bowername": [ "jquery-mobile", "jquery-mobile-min", "jquery-mobile-build", "jquery-mobile-dist", "jquery-mobile-bower" ], "vulnerabilities" : [ { "below" : "1.0RC2", "severity": "high", "identifiers": {"osvdb": ["94563", "93562", "94316", "94561", "94560"]}, "info" : [ "http://osvdb.org/show/osvdb/94563", "http://osvdb.org/show/osvdb/94562", "http://osvdb.org/show/osvdb/94316", "http://osvdb.org/show/osvdb/94561", "http://osvdb.org/show/osvdb/94560" ] }, { "below" : "1.0.1", "severity": "high", "identifiers": {"osvdb": ["94317"]}, "info": [ "http://osvdb.org/show/osvdb/94317" ] }, { "below" : "1.1.2", "severity": "medium", "identifiers": { "issue": "4787", "release": "http://jquerymobile.com/changelog/1.1.2/", "summary": "location.href cross-site scripting" }, "info": [ "http://jquerymobile.com/changelog/1.1.2/", "https://github.com/jquery/jquery-mobile/issues/4787" ] }, { "below" : "1.2.0", "severity": "medium", "identifiers": { "issue": "4787", "release": "http://jquerymobile.com/changelog/1.2.0/", "summary": "location.href cross-site scripting" }, "info": [ "http://jquerymobile.com/changelog/1.2.0/", "https://github.com/jquery/jquery-mobile/issues/4787" ] }, { "below" : "100.0.0", "severity": "medium", "identifiers": { "blog" : "sirdarckcat/unpatched-0day-jquery-mobile-xss", "summary": "open redirect leads to cross site scripting" }, "info": [ "http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html" ] }, { "below" : "1.3.0", "severity": "high", "identifiers": { "gist" : "jupenur/e5d0c6f9b58aa81860bf74e010cf1685", "summary": "Endpoint that reflect user input leads to cross site scripting" }, "info": [ "https://gist.github.com/jupenur/e5d0c6f9b58aa81860bf74e010cf1685" ] } ], "extractors" : { "func" : [ "jQuery.mobile.version" ], "filename" : [ "jquery.mobile-(§§version§§)(.min)?\\.js" ], "uri" : [ "/(§§version§§)/jquery.mobile(\\.min)?\\.js" ], "filecontent" : [ "/\\*!?(?:\n \\*)? jQuery Mobile(?: -)? v(§§version§§)" ], "hashes" : {} } }, "jquery-ui" : { "bowername": [ "jquery-ui", "jquery.ui" ], "vulnerabilities" : [ { "below" : "1.13.2", "severity": "low", "identifiers": { "summary": "XSS when refreshing checkboxes if usercontrolled data in labels", "issue" : "2101", "CVE" : [ "CVE-2022-31160" ] }, "info" : [ "https://github.com/jquery/jquery-ui/issues/2101", "https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9", "https://github.com/advisories/GHSA-h6gj-6jjq-h8g9", "https://nvd.nist.gov/vuln/detail/CVE-2022-31160" ] }, { "below" : "1.13.0", "severity": "medium", "identifiers": { "CVE": [ "CVE-2021-41184" ], "summary": "XSS in the `of` option of the `.position()` util" }, "info" : [ "https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327", "https://nvd.nist.gov/vuln/detail/CVE-2021-41184" ] }, { "below" : "1.13.0", "severity": "medium", "identifiers": { "CVE": [ "CVE-2021-41183" ], "bug": "15284", "summary": "XSS Vulnerability on text options of jQuery UI datepicker" }, "info" : [ "https://bugs.jqueryui.com/ticket/15284", "https://nvd.nist.gov/vuln/detail/CVE-2021-41183" ] }, { "below" : "1.13.0", "severity": "medium", "identifiers": { "CVE": [ "CVE-2021-41182" ], "summary": "XSS in the `altField` option of the Datepicker widget" }, "info" : [ "https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc", "https://nvd.nist.gov/vuln/detail/CVE-2021-41182" ] }, { "below" : "1.13.2", "severity": "medium", "identifiers": { "CVE": [ "CVE-2022-31160" ], "summary": "XSS when refreshing a checkboxradio with an HTML-like initial text label " }, "info" : [ "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9", "https://nvd.nist.gov/vuln/detail/CVE-2022-31160" ] } ], "extractors" : { "func" : [ "jQuery.ui.version" ], "uri" : [ "/(§§version§§)/jquery-ui(\\.min)?\\.js" ], "filecontent" : [ "/\\*!? jQuery UI - v(§§version§§)", "/\\*!?[\n *]+jQuery UI (§§version§§)" ], "hashes" : {} } }, "jquery-ui-dialog" : { "bowername": [ "jquery-ui", "jquery.ui" ], "vulnerabilities" : [ { "atOrAbove": "1.8.9", "below" : "1.10.0", "severity": "medium", "identifiers": { "CVE": [ "CVE-2010-5312" ], "bug": "6016", "summary": "Title cross-site scripting vulnerability" }, "info" : [ "http://bugs.jqueryui.com/ticket/6016", "https://nvd.nist.gov/vuln/detail/CVE-2010-5312" ] }, { "below" : "1.12.0", "severity": "medium", "identifiers": { "CVE": [ "CVE-2016-7103" ], "bug": "281", "summary": "XSS Vulnerability on closeText option" }, "info" : [ "https://github.com/jquery/api.jqueryui.com/issues/281", "https://nvd.nist.gov/vuln/detail/CVE-2016-7103", "https://snyk.io/vuln/npm:jquery-ui:20160721" ] } ], "extractors" : { "func" : [ "jQuery.ui.dialog.version" ], "filecontent" : [ "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}.*jquery\\.ui\\.dialog\\.js", "/\\*!?[\n *]+jQuery UI (§§version§§)(.*\n)*.*\\.ui\\.dialog", "/\\*!?[\n *]+jQuery UI Dialog (§§version§§)", "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}\\* Includes: .* dialog\\.js" ], "hashes" : {} } }, "jquery-ui-autocomplete" : { "bowername": [ "jquery-ui", "jquery.ui" ], "vulnerabilities" : [ ], "extractors" : { "func" : [ "jQuery.ui.autocomplete.version" ], "filecontent" : [ "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}.*jquery\\.ui\\.autocomplete\\.js", "/\\*!?[\n *]+jQuery UI (§§version§§)(.*\n)*.*\\.ui\\.autocomplete", "/\\*!?[\n *]+jQuery UI Autocomplete (§§version§§)", "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}\\* Includes: .* autocomplete\\.js" ], "hashes" : {} } }, "jquery-ui-tooltip" : { "bowername": [ "jquery-ui", "jquery.ui" ], "vulnerabilities" : [ { "atOrAbove": "1.9.2", "below" : "1.10.0", "severity": "medium", "identifiers": { "CVE" : [ "CVE-2012-6662" ], "bug": "8859", "summary": "Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip" }, "info" : [ "http://bugs.jqueryui.com/ticket/8859", "https://nvd.nist.gov/vuln/detail/CVE-2012-6662" ] } ], "extractors" : { "func" : [ "jQuery.ui.tooltip.version" ], "filecontent" : [ "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}.*jquery\\.ui\\.tooltip\\.js", "/\\*!?[\n *]+jQuery UI (§§version§§)(.*\n)*.*\\.ui\\.tooltip", "/\\*!?[\n *]+jQuery UI Tooltip (§§version§§)" ], "hashes" : {} } }, "jquery.prettyPhoto" : { "bowername": [ "jquery-prettyPhoto" ], "vulnerabilities" : [ { "below" : "3.1.5", "severity" : "medium", "identifiers" : { "CVE" : [ "CVE-2013-6837" ] }, "info" : [ "https://nvd.nist.gov/vuln/detail/CVE-2013-6837" ] }, { "below" : "3.1.6", "severity" : "high", "identifiers" : { "issue" : "149" }, "info" : [ "https://github.com/scaron/prettyphoto/issues/149", "https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto" ] } ], "extractors" : { "func" : [ "jQuery.prettyPhoto.version" ], "uri" : [ "/prettyPhoto/(§§version§§)/js/jquery\\.prettyPhoto(\\.min?)\\.js", "/prettyphoto@(§§version§§)/js/jquery\\.prettyPhoto\\.js" ], "filecontent" : [ "/\\*[\r\n -]+Class: prettyPhoto(?:.*\n){1,3}[ ]*Version: (§§version§§)", "\\.prettyPhoto[ ]?=[ ]?\\{version:[ ]?(?:'|\")(§§version§§)(?:'|\")\\}" ], "hashes" : {} } }, "jPlayer" : { "bowername": [ "jPlayer" ], "vulnerabilities" : [ { "below" : "2.3.1", "severity": "medium", "identifiers": { "CVE": [ "CVE-2013-2023" ], "release" : "2.3.1", "summary" : "XSS vulnerability in actionscript/Jplayer.as in the Flash SWF component" }, "info" : [ "http://jplayer.org/latest/release-notes/", "https://nvd.nist.gov/vuln/detail/CVE-2013-2023" ] }, { "below" : "2.3.23", "severity": "medium", "identifiers": { "CVE": [ "CVE-2013-2022" ], "release": "2.3.23", "summary": "XSS vulnerabilities in actionscript/Jplayer.as in the Flash SWF component" }, "info" : [ "http://jplayer.org/latest/release-notes/", "https://nvd.nist.gov/vuln/detail/CVE-2013-2022" ] }, { "below" : "2.2.20", "severity": "medium", "identifiers": { "CVE": [ "CVE-2013-1942" ], "release": "2.2.20", "summary": "XSS vulnerabilities in actionscript/Jplayer.as in the Flash SWF component" }, "info" : [ "http://jplayer.org/latest/release-notes/", "https://nvd.nist.gov/vuln/detail/CVE-2013-1942" ] } ], "extractors" : { "func" : [ "new jQuery.jPlayer().version.script" ], "filecontent" : [ "/\\*!?[\n *]+jPlayer Plugin for jQuery (?:.*\n){1,10}[ *]+Version: (§§version§§)", "/\\*!? jPlayer (§§version§§) for jQuery" ], "hashes" : {} } }, "knockout": { "vulnerabilities" : [ { "below" : "3.5.0-beta", "severity": "medium", "identifiers": { "issue": "1244", "summary": "XSS injection point in attr name binding for browser IE7 and older" }, "info" : [ "https://github.com/knockout/knockout/issues/1244" ] } ], "extractors" : { "func" : [ "ko.version" ], "filename" : [ "knockout-(§§version§§)(.min)?\\.js"], "uri" : [ "/knockout/(§§version§§)/knockout(-[a-z.]+)?\\.js" ], "filecontent" : [ "(?:\\*|//) Knockout JavaScript library v(§§version§§)" ], "hashes" : {} } }, "sessvars": { "vulnerabilities" : [ { "below" : "1.01", "severity": "low", "identifiers": { "tenable" : "98645", "summary": "Unsanitized data passed to eval()" }, "info" : [ "http://www.thomasfrank.se/sessionvars.html" ] } ], "extractors" : { "filename" : [ "sessvars-(§§version§§)(.min)?\\.js"], "filecontent" : [ "sessvars ver (§§version§§)"], "hashes" : {} } }, "swfobject": { "bowername": [ "swfobject", "swfobject-bower" ], "vulnerabilities" : [ { "below" : "2.1", "severity": "medium", "identifiers": { "summary": "DOM-based XSS", "retid": "1" }, "info" : [ "https://github.com/swfobject/swfobject/wiki/SWFObject-Release-Notes#swfobject-v21-beta7-june-6th-2008" ] } ], "extractors" : { "filename" : [ "swfobject_(§§version§§)(.min)?\\.js"], "filecontent" : [ "SWFObject v(§§version§§) "], "hashes" : {} } }, "tinyMCE" : { "bowername": [ "tinymce", "tinymce-dist" ], "vulnerabilities" : [ { "below" : "1.4.2", "severity" : "high", "identifiers" : { "summary" : "Static code injection vulnerability in inc/function.base.php", "CVE" : [ "CVE-2011-4825" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2011-4825/" ] }, { "below" : "4.2.4", "severity" : "medium", "identifiers" : { "summary" : "xss issues with media plugin not properly filtering out some script attributes.", "retid" : "61" }, "info" : [ "https://www.tinymce.com/docs/changelog/" ] }, { "below" : "4.2.0", "severity" : "medium", "identifiers" : { "summary" : "FIXED so script elements gets removed by default to prevent possible XSS issues in default config implementations", "retid" : "62" }, "info" : [ "https://www.tinymce.com/docs/changelog/" ] }, { "below" : "4.7.12", "severity" : "medium", "identifiers" : { "summary" : "FIXED so links with xlink:href attributes are filtered correctly to prevent XSS.", "retid" : "63" }, "info" : [ "https://www.tinymce.com/docs/changelog/" ] }, { "below" : "5.1.4", "atOrAbove" : "5.0.0", "severity" : "medium", "identifiers" : { "summary" : "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs", "githubID" : "GHSA-27gm-ghr9-4v95" }, "info" : [ "https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95" ] }, { "below" : "5.1.6", "severity" : "medium", "identifiers" : { "summary" : "CDATA parsing and sanitization has been improved to address a cross-site scripting (XSS) vulnerability.", "retid": "64" }, "info" : [ "https://www.tiny.cloud/docs/release-notes/release-notes516/" ] }, { "below" : "5.2.2", "severity" : "low", "identifiers" : { "summary" : "media embed content not processing safely in some cases.", "retid": "65" }, "info" : [ "https://www.tiny.cloud/docs/release-notes/release-notes522/" ] }, { "below" : "5.4.0", "severity" : "low", "identifiers" : { "summary" : "content in an iframe element parsing as DOM elements instead of text content.", "retid": "66" }, "info" : [ "https://www.tiny.cloud/docs/release-notes/release-notes54/" ] }, { "below" : "5.6.0", "severity" : "medium", "identifiers" : { "summary" : "security issue where URLs in attributes weren’t correctly sanitized. security issue in the codesample plugin", "retid": "67" }, "info" : [ "https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes" ] }, { "below" : "5.7.1", "severity" : "medium", "identifiers" : { "summary" : "URLs are not correctly filtered in some cases.", "retid": "68" }, "info" : [ "https://www.tiny.cloud/docs/release-notes/release-notes571/#securityfixes" ] }, { "below" : "5.9.0", "severity" : "medium", "identifiers" : { "summary" : "Inserting certain HTML content into the editor could result in invalid HTML once parsed. This caused a medium severity Cross Site Scripting (XSS) vulnerability", "retid": "69" }, "info" : [ "https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes" ] }, { "below" : "5.10.0", "severity" : "medium", "identifiers" : { "summary" : "URLs not cleaned correctly in some cases in the link and image plugins", "retid": "70" }, "info" : [ "https://www.tiny.cloud/docs/release-notes/release-notes510/#securityfixes" ] }, { "below" : "5.10.7", "severity" : "medium", "identifiers" : { "CVE" : [ "CVE-2022-23494" ], "summary" : "A cross-site scripting (XSS) vulnerability in TinyMCE alerts which allowed arbitrary JavaScript execution was found and fixed." }, "info" : [ "https://www.tiny.cloud/docs/changelog/#5107-2022-12-06", "https://www.cve.org/CVERecord?id=CVE-2022-23494" ] } ], "extractors" : { "uri" : [ "/tinymce/(§§version§§)/tinymce(\\.min)?\\.js" ], "filecontent" : [ "// (§§version§§) \\([0-9\\-]+\\)[\n\r]+.{0,1200}l=.tinymce/geom/Rect.", "/\\*\\*[\\s]*\\* TinyMCE version (§§version§§)" ], "filecontentreplace" : [ "/tinyMCEPreInit.*majorVersion:.([0-9]+).,minorVersion:.([0-9.]+)./$1.$2/", "/majorVersion:.([0-9]+).,minorVersion:.([0-9.]+).,.*tinyMCEPreInit/$1.$2/" ], "func" : [ "tinyMCE.majorVersion + '.'+ tinyMCE.minorVersion" ] } }, "YUI" : { "bowername": [ "yui", "yui3" ], "vulnerabilities" : [ { "atOrAbove" : "3.5.0" , "below" : "3.9.2", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4942" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4942/" ] }, { "atOrAbove" : "3.2.0" , "below" : "3.9.2", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4941" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4941/" ] }, { "atOrAbove" : "3.0.0", "below" : "3.10.3", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4940" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4940/" ] }, { "atOrAbove" : "3.0.0" , "below" : "3.9.2", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4939" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4939/" ] }, { "atOrAbove" : "2.8.0" , "below" : "2.9.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2012-5883" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2012-5883/" ] }, { "atOrAbove" : "2.5.0" , "below" : "2.9.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2012-5882" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2012-5882/" ] }, { "atOrAbove" : "2.4.0" , "below" : "2.9.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2012-5881" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2012-5881/" ] }, { "below" : "2.9.0", "severity": "medium", "identifiers": {"CVE": [ "CVE-2010-4710" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4710/" ] }, { "atOrAbove" : "2.8.0" , "below" : "2.8.2", "severity": "medium", "identifiers": {"CVE": [ "CVE-2010-4209" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4209/" ] }, { "atOrAbove" : "2.5.0" , "below" : "2.8.2", "severity": "medium", "identifiers": {"CVE": [ "CVE-2010-4208" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4208/" ] }, { "atOrAbove" : "2.4.0" , "below" : "2.8.2", "severity": "medium", "identifiers": {"CVE": [ "CVE-2010-4207" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4207/" ] } ], "extractors" : { "func" : [ "YUI.Version", "YAHOO.VERSION" ], "filename" : [ "yui-(§§version§§)(.min)?\\.js"], "filecontent" : [ "/*\nYUI (§§version§§)", "/yui/license.(?:html|txt)\nversion: (§§version§§)"], "hashes" : {} } }, "prototypejs" : { "bowername": [ "prototypejs", "prototype.js", "prototypejs-bower" ], "vulnerabilities" : [ { "atOrAbove" : "1.6.0", "below" : "1.6.0.2", "severity": "high", "identifiers": {"CVE": [ "CVE-2008-7220" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2008-7220/", "http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/" ] }, { "below" : "1.5.1.2", "severity": "high", "identifiers": {"CVE": [ "CVE-2008-7220" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2008-7220/", "http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/" ] } ], "extractors" : { "func" : [ "Prototype.Version" ], "uri" : [ "/(§§version§§)/prototype(\\.min)?\\.js" ], "filename" : [ "prototype-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "Prototype JavaScript framework, version (§§version§§)", "Prototype[ ]?=[ ]?\\{[ \r\n\t]*Version:[ ]?(?:'|\")(§§version§§)(?:'|\")" ], "hashes" : {} } }, "ember" : { "vulnerabilities" : [ { "atOrAbove" : "4.9.0-alpha.1", "below" :"4.9.0-beta.3", "severity" : "high", "identifiers": { "summary" : "Prototype pollution", "retid" : "55" }, "info": [ "https://blog.emberjs.com/ember-4-8-1-released/" ] }, { "atOrAbove" : "4.5.0", "below" :"4.8.1", "severity" : "high", "identifiers": { "summary" : "Prototype pollution", "retid" : "56" }, "info": [ "https://blog.emberjs.com/ember-4-8-1-released/" ] }, { "atOrAbove" : "4.0.0", "below" :"4.4.4", "severity" : "high", "identifiers": { "summary" : "Prototype pollution", "retid" : "57" }, "info": [ "https://blog.emberjs.com/ember-4-8-1-released/" ] }, { "atOrAbove" : "3.25.0", "below" :"3.28.10", "severity" : "high", "identifiers": { "summary" : "Prototype pollution", "retid" : "58" }, "info": [ "https://blog.emberjs.com/ember-4-8-1-released/" ] }, { "below" :"3.24.7", "severity" : "high", "identifiers": { "summary" : "Prototype pollution", "retid" : "59" }, "info": [ "https://blog.emberjs.com/ember-4-8-1-released/" ] }, { "atOrAbove" : "1.8.0", "below" :"1.11.4", "severity" : "medium", "identifiers": {"CVE": [ "CVE-2015-7565" ] }, "info": [ "https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY" ] }, { "atOrAbove" : "1.12.0", "below" :"1.12.2", "severity" : "medium", "identifiers": {"CVE": [ "CVE-2015-7565" ] }, "info": [ "https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY" ] }, { "atOrAbove" : "1.13.0", "below" : "1.13.12", "severity" : "medium", "identifiers": {"CVE": [ "CVE-2015-7565" ] }, "info": [ "https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY" ] }, { "atOrAbove" : "2.0.0", "below" : "2.0.3", "severity" : "medium", "identifiers": {"CVE": [ "CVE-2015-7565" ] }, "info": [ "https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY" ] }, { "atOrAbove" : "2.1.0", "below" : "2.1.2", "severity" : "medium", "identifiers": {"CVE": [ "CVE-2015-7565" ] }, "info": [ "https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY" ] }, { "atOrAbove" : "2.2.0", "below" : "2.2.1", "severity" : "medium", "identifiers": {"CVE": [ "CVE-2015-7565" ] }, "info": [ "https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY" ] }, { "below" : "1.5.0", "severity": "low", "identifiers": { "CVE": [ "CVE-2014-0046" ], "summary": "ember-routing-auto-location can be forced to redirect to another domain" }, "info" : [ "https://github.com/emberjs/ember.js/blob/v1.5.0/CHANGELOG.md" ] }, { "atOrAbove" : "1.3.0-*", "below" : "1.3.2", "severity": "low", "identifiers": {"CVE": [ "CVE-2014-0046" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ" ] }, { "atOrAbove" : "1.2.0-*", "below" : "1.2.2", "severity": "low", "identifiers": {"CVE": [ "CVE-2014-0046" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ" ] }, { "atOrAbove" : "1.4.0-*", "below" : "1.4.0-beta.2", "severity": "low", "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] }, { "atOrAbove" : "1.3.0-*", "below" : "1.3.1", "severity": "low", "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] }, { "atOrAbove" : "1.2.0-*", "below" : "1.2.1", "severity": "low", "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] }, { "atOrAbove" : "1.1.0-*", "below" : "1.1.3", "severity": "low", "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] }, { "atOrAbove" : "1.0.0-*", "below" : "1.0.1", "severity": "low", "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] }, { "atOrAbove" : "1.0.0-rc.1", "below" : "1.0.0-rc.1.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4170" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] }, { "atOrAbove" : "1.0.0-rc.2", "below" : "1.0.0-rc.2.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4170" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] }, { "atOrAbove" : "1.0.0-rc.3", "below" : "1.0.0-rc.3.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4170" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] }, { "atOrAbove" : "1.0.0-rc.4", "below" : "1.0.0-rc.4.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4170" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] }, { "atOrAbove" : "1.0.0-rc.5", "below" : "1.0.0-rc.5.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4170" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] }, { "atOrAbove" : "1.0.0-rc.6", "below" : "1.0.0-rc.6.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-4170" ] }, "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] }, { "below" : "0.9.7.1", "severity" : "low", "identifiers": { "retid" : "60", "summary" : "More rigorous XSS escaping from bindAttr" }, "info" : [ "https://github.com/emberjs/ember.js/blob/master/CHANGELOG.md" ] }, { "below" : "0.9.7", "severity": "high", "identifiers": { "bug": "699", "summary": "Bound attributes aren't escaped properly" }, "info" : [ "https://github.com/emberjs/ember.js/issues/699" ] } ], "extractors" : { "func" : [ "Ember.VERSION" ], "uri" : [ "/(?:v)?(§§version§§)/ember(\\.min)?\\.js", "/ember\\.?js/(§§version§§)/ember((\\.|-)[a-z\\-.]+)?\\.js" ], "filename" : [ "ember-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "Project: Ember -(?:.*\n){9,11}// Version: v(§§version§§)", "// Version: v(§§version§§)(.*\n){10,15}(Ember Debug|@module ember|@class ember)", "Ember.VERSION[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\")", "meta\\.revision=\"Ember@(§§version§§)\"", "e\\(\"ember/version\",\\[\"exports\"\\],function\\(e\\)\\{\"use strict\";?[\\s]*e(?:\\.|\\[\")default(?:\"\\])?=\"(§§version§§)\"", "\\(\"ember/version\",\\[\"exports\"\\],function\\(e\\)\\{\"use strict\";.{1,70}\\.default=\"(§§version§§)\"", "/\\*![\\s]+\\* @overview Ember - JavaScript Application Framework[\\s\\S]{0,400}\\* @version (§§version§§)" ], "hashes" : {} } }, "dojo" : { "vulnerabilities" : [ { "atOrAbove" : "0.4", "below" : "0.4.4", "severity": "high", "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272"]}, "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2272/" ] }, { "atOrAbove" : "1.0", "below" : "1.0.3", "severity": "high", "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] }, { "atOrAbove" : "1.1", "below" : "1.1.2", "severity": "high", "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] }, { "atOrAbove" : "1.2", "below" : "1.2.4", "severity": "high", "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] }, { "atOrAbove" : "1.3", "below" : "1.3.3", "severity": "high", "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] }, { "atOrAbove" : "1.4", "below" : "1.4.2", "severity": "high", "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] }, { "below" : "1.4.2", "severity": "medium", "identifiers": {"CVE": [ "CVE-2010-2275" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2010-2275/"] }, { "below" : "1.1", "severity": "medium", "identifiers": {"CVE": [ "CVE-2008-6681" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2008-6681/"] }, { "below" : "1.10.10", "severity": "medium", "identifiers": { "PR" : "307" }, "info" : [ "https://github.com/dojo/dojo/pull/307" , "https://dojotoolkit.org/blog/dojo-1-14-released"] }, { "atOrAbove" : "1.11.0", "below" : "1.11.6", "severity": "medium", "identifiers": { "PR" : "307" }, "info" : [ "https://github.com/dojo/dojo/pull/307" , "https://dojotoolkit.org/blog/dojo-1-14-released"] }, { "atOrAbove" : "1.12.0", "below" : "1.12.4", "severity": "medium", "identifiers": { "PR" : "307" }, "info" : [ "https://github.com/dojo/dojo/pull/307" , "https://dojotoolkit.org/blog/dojo-1-14-released"] }, { "atOrAbove" : "1.13.0", "below" : "1.13.1", "severity": "medium", "identifiers": { "PR" : "307" }, "info" : [ "https://github.com/dojo/dojo/pull/307" , "https://dojotoolkit.org/blog/dojo-1-14-released"] }, { "below" : "1.14", "severity": "high", "identifiers": { "CVE": ["CVE-2018-15494"] }, "info" : [ "https://dojotoolkit.org/blog/dojo-1-14-released" ] }, { "below" : "1.11.10", "severity": "medium", "identifiers": { "CVE": ["CVE-2020-5258"] }, "info" : [ "https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2" ] }, { "below" : "1.12.8", "atOrAbove" : "1.12.0", "severity": "medium", "identifiers": { "CVE": ["CVE-2020-5258"] }, "info" : [ "https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2" ] }, { "below" : "1.13.7", "atOrAbove" : "1.13.0", "severity": "medium", "identifiers": { "CVE": ["CVE-2020-5258"] }, "info" : [ "https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2" ] }, { "below" : "1.14.6", "atOrAbove" : "1.14.0", "severity": "medium", "identifiers": { "CVE": ["CVE-2020-5258"] }, "info" : [ "https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2" ] }, { "below" : "1.15.3", "atOrAbove" : "1.15.0", "severity": "medium", "identifiers": { "CVE": ["CVE-2020-5258"] }, "info" : [ "https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2" ] }, { "below" : "1.16.2", "atOrAbove" : "1.16.0", "severity": "medium", "identifiers": { "CVE": ["CVE-2020-5258"] }, "info" : [ "https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2" ] }, { "below" : "1.17.0", "severity": "medium", "identifiers": { "summary": "Prototype pollution", "CVE": ["CVE-2021-23450"] }, "info" : [ "https://github.com/dojo/dojo/pull/418" ] } ], "extractors" : { "func" : [ "dojo.version.toString()" ], "uri" : [ "/(?:dojo-)?(§§version§§)/dojo(\\.min)?\\.js" ], "filename" : [ "dojo-(§§version§§)(\\.min)?\\.js" ], "filecontentreplace" : [ "/dojo.version=\\{major:([0-9]+),minor:([0-9]+),patch:([0-9]+)/$1.$2.$3/"], "hashes" : { "73cdd262799aab850abbe694cd3bfb709ea23627" : "1.4.1", "c8c84eddc732c3cbf370764836a7712f3f873326" : "1.4.0", "d569ce9efb7edaedaec8ca9491aab0c656f7c8f0" : "1.0.0", "ad44e1770895b7fa84aff5a56a0f99b855a83769" : "1.3.2", "8fc10142a06966a8709cd9b8732f7b6db88d0c34" : "1.3.1", "a09b5851a0a3e9d81353745a4663741238ee1b84" : "1.3.0", "2ab48d45abe2f54cdda6ca32193b5ceb2b1bc25d" : "1.2.3", "12208a1e649402e362f528f6aae2c614fc697f8f" : "1.2.0", "72a6a9fbef9fa5a73cd47e49942199147f905206" : "1.1.1" } } }, "angularjs" : { "bowername": [ "angularjs", "angular.js" ], "vulnerabilities" : [ { "below" : "1.8.0", "severity": "medium", "identifiers": { "summary": "XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.", "CVE": [ "CVE-2020-7676" ] }, "info" : [ "https://github.com/advisories/GHSA-5cp4-xmrw-59wf" ] }, { "below" : "1.8.0", "severity": "low", "identifiers": { "summary": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one.", "CVE": [ "CVE-2020-7676" ] }, "info" : [ "https://nvd.nist.gov/vuln/detail/CVE-2020-7676" ] }, { "below" : "1.7.9", "severity": "medium", "identifiers": { "summary": "Prototype pollution", "retid" : "47" }, "info" : [ "https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a", "https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19" ] }, { "atOrAbove" : "1.5.0", "below" : "1.6.9", "severity": "low", "identifiers": { "summary": "XSS through SVG if enableSvg is set", "retid" : "48" }, "info" : [ "https://github.com/angular/angular.js/blob/master/CHANGELOG.md#169-fiery-basilisk-2018-02-02", "https://vulnerabledoma.in/ngSanitize1.6.8_bypass.html" ] }, { "below" : "1.5.0-beta.1", "severity": "medium", "identifiers": { "summary": "XSS through xlink:href attributes", "CVE": [ "CVE-2019-14863" ] }, "info" : [ "https://github.com/angular/angular.js/blob/master/CHANGELOG.md#150-beta1-dense-dispersion-2015-09-29", "https://github.com/advisories/GHSA-r5fx-8r73-v86c" ] }, { "atOrAbove" : "1.3.0", "below" : "1.5.0-rc2", "severity": "medium", "identifiers": { "summary": "The attribute usemap can be used as a security exploit", "retid" : "49" }, "info" : [ "https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21" ] }, { "atOrAbove" : "1.0.0", "below" : "1.2.30", "severity": "medium", "identifiers": { "summary": "The attribute usemap can be used as a security exploit", "retid" : "50" }, "info" : [ "https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21" ] }, { "below" : "1.6.3", "severity": "medium", "identifiers": { "summary": "Universal CSP bypass via add-on in Firefox", "retid" : "51" }, "info" : [ "https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435", "http://pastebin.com/raw/kGrdaypP" ] }, { "below" : "1.6.3", "severity": "medium", "identifiers": { "summary": "DOS in $sanitize", "retid" : "52" }, "info" : [ "https://github.com/angular/angular.js/blob/master/CHANGELOG.md", "https://github.com/angular/angular.js/pull/15699" ] }, { "below" : "1.6.5", "severity": "low", "identifiers": { "summary": "XSS in $sanitize in Safari/Firefox", "retid" : "53" }, "info" : [ "https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94" ] }, { "below" : "1.999", "severity": "low", "identifiers": { "summary": "End-of-Life: Long term support for AngularJS has been discontinued", "retid" : "54" }, "info" : [ "https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c" ] } ], "extractors" : { "func" : [ "angular.version.full" ], "uri" : [ "/(§§version§§)/angular(\\.min)?\\.js" ], "filename" : [ "angular(?:js)?-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "/\\*[ \n]+AngularJS v(§§version§§)", "http://errors\\.angularjs\\.org/(§§version§§)/" ], "hashes" : {} } }, "backbone.js" : { "bowername": [ "backbonejs", "backbone" ], "vulnerabilities" : [ { "below" : "0.5.0", "severity": "medium", "identifiers": { "release": "0.5.0", "summary": "cross-site scripting vulnerability", "retid" : "46" }, "info" : [ "http://backbonejs.org/#changelog" ] } ], "extractors" : { "func" : [ "Backbone.VERSION" ], "uri" : [ "/(§§version§§)/backbone(\\.min)?\\.js" ], "filename" : [ "backbone(?:js)?-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "//[ ]+Backbone.js (§§version§§)", "a=t.Backbone=\\{\\}\\}a.VERSION=\"(§§version§§)\"" ], "hashes" : {} } }, "mustache.js" : { "bowername": [ "mustache.js", "mustache" ], "vulnerabilities" : [ { "below" : "0.3.1", "severity": "high", "identifiers": { "bug": "112", "summary": "execution of arbitrary javascript" }, "info" : [ "https://github.com/janl/mustache.js/issues/112" ] }, { "below" : "2.2.1", "severity": "medium", "identifiers": { "bug": "pull request 530", "summary": "weakness in HTML escaping" }, "info" : [ "https://github.com/janl/mustache.js/releases/tag/v2.2.1", "https://github.com/janl/mustache.js/pull/530" ] } ], "extractors" : { "func" : [ "Mustache.version" ], "uri" : [ "/(§§version§§)/mustache(\\.min)?\\.js" ], "filename" : [ "mustache(?:js)?-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "name:\"mustache.js\",version:\"(§§version§§)\"", "[^a-z]mustache.version[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\")", "exports.name[ ]?=[ ]?\"mustache.js\";[\n ]*exports.version[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\");" ], "hashes" : {} } }, "handlebars" : { "bowername": [ "handlebars", "handlebars.js" ], "vulnerabilities" : [ { "below" : "1.0.0.beta.3", "severity": "medium", "identifiers": { "summary": "poorly sanitized input passed to eval()", "issue" : "68" }, "info" : [ "https://github.com/wycats/handlebars.js/pull/68" ] }, { "below" : "4.0.0", "severity": "medium", "identifiers": { "summary": "Quoteless attributes in templates can lead to XSS", "issue" : "1083" }, "info" : [ "https://github.com/wycats/handlebars.js/pull/1083" ] }, { "atOrAbove" : "4.0.0", "below" : "4.0.13", "severity": "high", "identifiers": { "summary": "A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template", "retid" : "43" }, "info" : [ "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692", "https://github.com/wycats/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86" ] }, { "atOrAbove" : "4.0.0", "below" : "4.0.14", "severity": "high", "identifiers": { "summary": "A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template", "issue" : "1495" }, "info" : [ "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183", "https://github.com/wycats/handlebars.js/issues/1495", "https://github.com/wycats/handlebars.js/commit/cd38583216dce3252831916323202749431c773e" ] }, { "atOrAbove" : "4.1.0", "below" : "4.1.2", "severity": "high", "identifiers": { "summary": "A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template", "issue" : "1495" }, "info" : [ "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183", "https://github.com/wycats/handlebars.js/issues/1495", "https://github.com/wycats/handlebars.js/commit/cd38583216dce3252831916323202749431c773e" ] }, { "below" : "4.3.0", "severity": "low", "identifiers": { "summary": "Disallow calling helperMissing and blockHelperMissing directly", "retid" : "44" }, "info" : [ "https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v430---september-24th-2019" ] }, { "below" : "4.5.3", "severity": "medium", "identifiers": { "summary": "Prototype pollution", "retid" : "45" }, "info" : [ "https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019" ] }, { "below" : "4.6.0", "severity": "medium", "identifiers": { "summary": "Denial of service", "issue" : "1633" }, "info" : [ "https://github.com/handlebars-lang/handlebars.js/pull/1633" ] }, { "below" : "4.7.7", "severity": "medium", "identifiers": { "summary": "Prototype pollution", "retid" : "71" }, "info" : [ "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427" ] } ], "extractors" : { "func" : [ "Handlebars.VERSION" ], "uri" : [ "/(§§version§§)/handlebars(\\.min)?\\.js" ], "filename" : [ "handlebars(?:js)?-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "Handlebars.VERSION = \"(§§version§§)\";", "Handlebars=\\{VERSION:(?:'|\")(§§version§§)(?:'|\")", "this.Handlebars=\\{\\};[\n\r \t]+\\(function\\([a-z]\\)\\{[a-z].VERSION=(?:'|\")(§§version§§)(?:'|\")", "/\\*+![\\s]+(?:@license)?[\\s]+handlebars v(§§version§§)" ], "hashes" : {} } }, "easyXDM" : { "vulnerabilities" : [ { "below" : "2.4.18", "severity": "medium", "identifiers": {"CVE": [ "CVE-2013-5212" ] }, "info" : [ "http://blog.kotowicz.net/2013/09/exploiting-easyxdm-part-1-not-usual.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5212" ] }, { "below" : "2.4.19", "severity": "medium", "identifiers": {"CVE": [ "CVE-2014-1403" ] }, "info" : [ "http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1403" ] }, { "below" : "2.4.20", "severity": "medium", "identifiers": { "summary" : "This release fixes a potential XSS for IE running in compatibility mode.", "retid" : "39" }, "info" : [ "https://github.com/oyvindkinsey/easyXDM/releases/tag/2.4.20" ] }, { "below" : "2.5.0", "severity": "medium", "identifiers": { "summary" : "This tightens down the default origin whitelist in the CORS example.", "retid" : "40" }, "info" : [ "https://github.com/oyvindkinsey/easyXDM/releases/tag/2.5.0" ] } ], "extractors" : { "uri" : [ "/(?:easyXDM-)?(§§version§§)/easyXDM(\\.min)?\\.js" ], "filename" : [ "easyXDM-(§§version§§)(.min)?\\.js" ], "filecontent" : [ " \\* easyXDM\n \\* http://easyxdm.net/(?:\r|\n|.)+version:\"(§§version§§)\"", "@class easyXDM(?:.|\r|\n)+@version (§§version§§)(\r|\n)" ], "hashes" : { "cf266e3bc2da372c4f0d6b2bd87bcbaa24d5a643" : "2.4.6"} } }, "plupload" : { "bowername": [ "Plupload", "plupload" ], "vulnerabilities" : [ { "below" : "1.5.4", "severity": "medium", "identifiers": { "CVE": [ "CVE-2012-2401" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2012-2401/" ] }, { "below" : "1.5.5", "severity": "medium", "identifiers": { "CVE": [ "CVE-2013-0237" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2013-0237/" ] }, { "below" : "2.1.9", "severity": "medium", "identifiers": { "CVE": [ "CVE-2016-4566" ] }, "info" : [ "https://github.com/moxiecode/plupload/releases" ] }, { "below" : "2.3.7", "severity": "medium", "identifiers": { "summary": "Fixed security vulnerability by adding die calls to all php files to prevent them from being executed unless modified.", "retid": "35" }, "info" : [ "https://github.com/moxiecode/plupload/releases/tag/v2.3.7" ] }, { "below" : "3.1.3", "atOrAbove" : "3.0.0", "severity": "medium", "identifiers": { "summary": "Fixed security vulnerability by adding die calls to all php files to prevent them from being executed unless modified.", "retid": "36" }, "info" : [ "https://github.com/moxiecode/plupload/releases/tag/v3.1.3" ] }, { "below" : "3.1.4", "atOrAbove" : "3.0.0", "severity": "medium", "identifiers": { "summary": "Fixed a potential security issue with not entity encoding the file names in the html in the queue/ui widgets.", "retid": "37" }, "info" : [ "https://github.com/moxiecode/plupload/releases/tag/v3.1.4" ] }, { "below" : "2.3.8", "severity": "medium", "identifiers": { "summary": "Fixed a potential security issue with not entity encoding the file names in the html in the queue/ui widgets.", "retid": "38" }, "info" : [ "https://github.com/moxiecode/plupload/releases/tag/v2.3.8" ] }, { "below" : "3.1.5", "atOrAbove" : "3.0.0", "severity": "medium", "identifiers": { "summary": "Fixed another case of html entities not being encoded that could be exploded by uploading a file name with html in it.", "retid" : "41" }, "info" : [ "https://github.com/moxiecode/plupload/releases/tag/v3.1.5" ] }, { "below" : "2.3.9", "severity": "medium", "identifiers": { "summary": "Fixed another case of html entities not being encoded that could be exploded by uploading a file name with html in it.", "retid" : "42" }, "info" : [ "https://github.com/moxiecode/plupload/releases/tag/v2.3.9" ] } ], "extractors" : { "func" : [ "plupload.VERSION" ], "uri" : [ "/(§§version§§)/plupload(\\.min)?\\.js" ], "filename" : [ "plupload-(§§version§§)(.min)?\\.js" ], "filecontent" : [ "\\* Plupload - multi-runtime File Uploader(?:\r|\n)+ \\* v(§§version§§)", "var g=\\{VERSION:\"(§§version§§)\",.*;window.plupload=g\\}" ], "hashes" : {} } }, "DOMPurify" : { "bowername": [ "dompurify", "DOMPurify" ], "vulnerabilities" : [ { "below" : "0.6.1", "severity": "medium", "identifiers": { "retid": "24" }, "info" : [ "https://github.com/cure53/DOMPurify/releases/tag/0.6.1" ] }, { "below" : "0.8.6", "severity": "medium", "identifiers": { "retid": "25" }, "info" : [ "https://github.com/cure53/DOMPurify/releases/tag/0.8.6" ] }, { "below" : "0.8.9", "severity": "low", "identifiers": { "summary": "safari UXSS", "retid": "26"}, "info" : [ "https://github.com/cure53/DOMPurify/releases/tag/0.8.9", "https://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/2017-May/000006.html" ] }, { "below" : "0.9.0", "severity": "low", "identifiers": { "summary": "safari UXSS", "retid": "27" }, "info" : [ "https://github.com/cure53/DOMPurify/releases/tag/0.9.0" ] }, { "below" : "2.0.16", "severity": "low", "identifiers": { "summary": "Fixed an mXSS-based bypass caused by nested forms inside MathML", "retid": "28" }, "info" : [ "https://github.com/cure53/DOMPurify/releases" ] }, { "below" : "2.0.17", "severity": "low", "identifiers": { "summary": "Fixed another bypass causing mXSS by using MathML", "retid": "29" }, "info" : [ "https://github.com/cure53/DOMPurify/releases" ] }, { "below" : "2.1.1", "severity": "low", "identifiers": { "summary": "Fixed several possible mXSS patterns, thanks @hackvertor", "retid": "30" }, "info" : [ "https://github.com/cure53/DOMPurify/releases" ] }, { "below" : "2.2.0", "severity": "low", "identifiers": { "summary": "Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features", "retid": "31" }, "info" : [ "https://github.com/cure53/DOMPurify/releases" ] }, { "below" : "2.2.2", "severity": "low", "identifiers": { "summary": "Fixed an mXSS bypass dropped on us publicly via", "retid": "32" }, "info" : [ "https://github.com/cure53/DOMPurify/releases" ] }, { "below" : "2.2.3", "severity": "low", "identifiers": { "summary": "Fixed an mXSS issue reported", "retid": "33" }, "info" : [ "https://github.com/cure53/DOMPurify/releases" ] }, { "below" : "2.2.4", "severity": "low", "identifiers": { "summary": "Fixed a new MathML-based bypass submitted by PewGrand. Fixed a new SVG-related bypass submitted by SecurityMB", "retid": "34" }, "info" : [ "https://github.com/cure53/DOMPurify/releases" ] } ], "extractors" : { "func" : [ "DOMPurify.version" ], "filecontent" : [ "DOMPurify.version = '(§§version§§)';", "DOMPurify.version=\"(§§version§§)\"", "DOMPurify=.[^\\r\\n]{10,850}?\\.version=\"(§§version§§)\"", "/\\*! @license DOMPurify (§§version§§)", "var .=\"dompurify\"+.{10,550}?\\.version=\"(§§version§§)\"" ], "hashes" : {} } }, "react" : { "vulnerabilities" : [ { "atOrAbove" : "0.4.0", "below" : "0.4.2", "severity" : "low", "identifiers" : { "CVE": [ "CVE-2013-7035" ] , "summary":"potential XSS vulnerability can arise when using user data as a key" }, "info": [ "https://facebook.github.io/react/blog/2013/12/18/react-v0.5.2-v0.4.2.html" ] }, { "atOrAbove" : "0.5.0", "below" : "0.5.2", "severity" : "low", "identifiers" : { "CVE": [ "CVE-2013-7035" ], "summary":"potential XSS vulnerability can arise when using user data as a key" }, "info": [ "https://facebook.github.io/react/blog/2013/12/18/react-v0.5.2-v0.4.2.html" ] }, { "below" : "0.14.0", "severity" : "low", "identifiers" : { "summary":" including untrusted objects as React children can result in an XSS security vulnerability", "retid" : "23" }, "info": [ "http://danlec.com/blog/xss-via-a-spoofed-react-element", "https://facebook.github.io/react/blog/2015/10/07/react-v0.14.html" ] }, { "atOrAbove" : "16.0.0", "below" : "16.0.1", "severity" : "medium", "identifiers" : { "CVE": [ "CVE-2018-6341" ], "summary":"potential XSS vulnerability when the attacker controls an attribute name" }, "info": [ "https://github.com/facebook/react/blob/master/CHANGELOG.md", "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html" ] }, { "atOrAbove" : "16.1.0", "below" : "16.1.2", "severity" : "medium", "identifiers" : { "CVE": [ "CVE-2018-6341" ], "summary":"potential XSS vulnerability when the attacker controls an attribute name" }, "info": [ "https://github.com/facebook/react/blob/master/CHANGELOG.md", "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html" ] }, { "atOrAbove" : "16.2.0", "below" : "16.2.1", "severity" : "medium", "identifiers" : { "CVE": [ "CVE-2018-6341" ], "summary":"potential XSS vulnerability when the attacker controls an attribute name" }, "info": [ "https://github.com/facebook/react/blob/master/CHANGELOG.md", "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html" ] }, { "atOrAbove" : "16.3.0", "below" : "16.3.3", "severity" : "medium", "identifiers" : { "CVE": [ "CVE-2018-6341" ], "summary":"potential XSS vulnerability when the attacker controls an attribute name" }, "info": [ "https://github.com/facebook/react/blob/master/CHANGELOG.md", "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html" ] }, { "atOrAbove" : "16.4.0", "below" : "16.4.2", "severity" : "medium", "identifiers" : { "CVE": [ "CVE-2018-6341" ], "summary":"potential XSS vulnerability when the attacker controls an attribute name" }, "info": [ "https://github.com/facebook/react/blob/master/CHANGELOG.md", "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html" ] } ], "extractors" : { "func" : [ "react.version", "require('react').version" ], "filecontent" : [ "/\\*\\*\n +\\* React \\(with addons\\) ?v(§§version§§)", "/\\*\\*\n +\\* React v(§§version§§)", "\"\\./ReactReconciler\":[0-9]+,\"\\./Transaction\":[0-9]+,\"fbjs/lib/invariant\":[0-9]+\\}\\],[0-9]+:\\[function\\(require,module,exports\\)\\{\"use strict\";module\\.exports=\"(§§version§§)\"\\}", "ReactVersion\\.js[\\*! \\\\/\n\r]{0,100}function\\(e,t\\)\\{\"use strict\";e\\.exports=\"(§§version§§)\"", "expected a ReactNode.[\\s\\S]{0,1800}?function\\(e,t\\)\\{\"use strict\";e\\.exports=\"(§§version§§)\"" ] } }, "flowplayer" : { "vulnerabilities" : [ { "below" : "5.4.3", "severity": "medium", "identifiers": { "summary" : "XSS vulnerability in Flash fallback", "issue" : "381" }, "info" : [ "https://github.com/flowplayer/flowplayer/issues/381" ] } ], "extractors" : { "uri" : [ "flowplayer-(§§version§§)(\\.min)?\\.js" ], "filename" : [ "flowplayer-(§§version§§)(\\.min)?\\.js" ] } }, "DWR" : { "vulnerabilities" : [ { "below" : "1.1.4", "severity": "high", "identifiers": { "CVE" : [ "CVE-2007-01-09" ] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2014-5326/", "http://www.cvedetails.com/cve/CVE-2014-5326/" ] }, { "below" : "2.0.11", "severity": "medium", "identifiers": { "CVE" : ["CVE-2014-5326", "CVE-2014-5325"] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2014-5326/", "http://www.cvedetails.com/cve/CVE-2014-5326/" ] }, { "above" : "3", "below" : "3.0.RC3", "severity": "medium", "identifiers": { "CVE" : ["CVE-2014-5326", "CVE-2014-5325"] }, "info" : [ "http://www.cvedetails.com/cve/CVE-2014-5326/", "http://www.cvedetails.com/cve/CVE-2014-5326/" ] } ], "extractors" : { "func" : [ "dwr.version" ], "filecontent" : [ " dwr-(§§version§§).jar" ] } }, "moment.js" : { "bowername": [ "moment", "momentjs" ], "vulnerabilities" : [ { "below" : "2.11.2", "severity": "low", "identifiers": { "summary":"reDOS - regular expression denial of service", "issue" : "2936" }, "info" : [ "https://github.com/moment/moment/issues/2936" ] }, { "below" : "2.15.2", "severity": "medium", "identifiers": { "summary" : "Regular Expression Denial of Service (ReDoS)", "retid" : "22" }, "info" : [ "https://security.snyk.io/vuln/npm:moment:20161019" ] }, { "below" : "2.19.3", "severity": "low", "identifiers": { "summary" : "Regular Expression Denial of Service (ReDoS)", "CVE" : [ "CVE-2017-18214" ] }, "info" : [ "https://security.snyk.io/vuln/npm:moment:20170905", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214", "https://github.com/moment/moment/issues/4163" ] }, { "below" : "2.29.2", "severity": "high", "identifiers": { "summary" : "This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.", "CVE" : [ "CVE-2022-24785" ] }, "info" : [ "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4" ] }, { "below" : "2.29.4", "atOrAbove" : "2.18.0", "severity": "high", "identifiers": { "summary" : "Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4", "CVE" : [ "CVE-2022-31129" ] }, "info" : [ "https://security.snyk.io/vuln/SNYK-JS-MOMENT-2944238", "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" ] } ], "extractors" : { "uri" : [ "/moment\\.js/(§§version§§)/moment(.min)?\\.js" ], "func" : [ "moment.version" ], "filecontent" : [ "//! moment.js(?:[\n\r]+)//! version : (§§version§§)" , "\\.version=\"(§§version§§)\".{300,500}\\.isMoment=" ] } }, "underscore.js" : { "bowername": [ "Underscore", "underscore" ], "vulnerabilities" : [ { "below" : "1.12.1", "atOrAbove" : "1.3.2", "severity": "High", "identifiers": { "summary":" vulnerable to Arbitrary Code Injection via the template function", "CVE" : [ "CVE-2021-23358" ] }, "info" : [ "https://nvd.nist.gov/vuln/detail/CVE-2021-23358" ] } ], "extractors" : { "uri" : [ "/underscore\\.js/(§§version§§)/underscore(-min)?\\.js" ], "func" : [ "underscore.version" ], "filecontent" : [ "//[\\s]*Underscore.js (§§version§§)" ] } }, "bootstrap": { "vulnerabilities" : [ { "below" : "4.3.1", "atOrAbove" : "4.0.0", "identifiers": { "issue" : "28236", "summary": "XSS in data-template, data-content and data-title properties of tooltip/popover", "CVE" : ["CVE-2019-8331"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/28236" ] }, { "below" : "3.4.1", "identifiers": { "issue" : "28236", "summary": "XSS in data-template, data-content and data-title properties of tooltip/popover", "CVE" : ["CVE-2019-8331"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/28236" ] }, { "below" : "4.1.2", "atOrAbove" : "4.0.0", "identifiers": { "issue" : "20184", "summary": "XSS in data-target property of scrollspy", "CVE" : ["CVE-2018-14041"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/20184" ] }, { "below" : "3.4.0", "identifiers": { "issue" : "20184", "summary": "XSS in data-target property of scrollspy", "CVE" : ["CVE-2018-14041"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/20184" ] }, { "below" : "4.1.2", "atOrAbove" : "4.0.0", "identifiers": { "issue" : "20184", "summary": "XSS in collapse data-parent attribute", "CVE" : ["CVE-2018-14040"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/20184" ] }, { "below" : "3.4.0", "identifiers": { "issue" : "20184", "summary": "XSS in collapse data-parent attribute", "CVE" : ["CVE-2018-14040"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/20184" ] }, { "below" : "4.1.2", "atOrAbove" : "4.0.0", "identifiers": { "issue" : "20184", "summary": "XSS in data-container property of tooltip", "CVE" : ["CVE-2018-14042"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/20184" ] }, { "below" : "3.4.0", "identifiers": { "issue" : "20184", "summary": "XSS in data-container property of tooltip", "CVE" : ["CVE-2018-14042"] }, "severity" : "medium", "info" : [ "https://github.com/twbs/bootstrap/issues/20184" ] }, { "atOrAbove" : "3.0.0", "below" : "3.4.0", "severity": "medium", "identifiers": { "summary": "XSS is possible in the data-target attribute.", "CVE" : [" CVE-2016-10735"] }, "info" : [ "https://github.com/advisories/GHSA-4p24-vmcr-4gqj" ] }, { "atOrAbove" : "4.0.0-beta", "below" : "4.0.0-beta.2", "severity": "medium", "identifiers": { "summary": "XSS is possible in the data-target attribute.", "CVE" : [" CVE-2016-10735"] }, "info" : [ "https://github.com/advisories/GHSA-4p24-vmcr-4gqj" ] }, { "below" : "2.1.0", "severity": "medium", "identifiers": { "summary": "cross-site scripting vulnerability", "issue" : "3421" }, "info" : [ "https://github.com/twbs/bootstrap/pull/3421" ] } ], "extractors" : { "uri" : [ "/(§§version§§)/bootstrap(\\.min)?\\.js", "/(§§version§§)/js/bootstrap(\\.min)?\\.js" ], "filename" : [ "bootstrap-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "/\\*!? Bootstrap v(§§version§§)", "\\* Bootstrap v(§§version§§)", "/\\*! Bootstrap v(§§version§§)", "this\\.close\\)\\};.\\.VERSION=\"(§§version§§)\"(?:,.\\.TRANSITION_DURATION=150)?,.\\.prototype\\.close" ], "hashes" : {} } }, "ckeditor" : { "vulnerabilities": [ { "below" : "4.4.3", "identifiers" : { "summary" : "XSS", "retid" : "13" }, "severity" : "medium", "info": [ "https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md#ckeditor-443" ] }, { "below" : "4.4.6", "identifiers" : { "summary" : "XSS", "retid" : "14" }, "severity" : "medium", "info": [ "https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md#ckeditor-446" ] }, { "below" : "4.4.8", "identifiers" : { "summary" : "XSS", "retid" : "15" }, "severity" : "medium", "info": [ "https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md#ckeditor-448" ] }, { "below" : "4.5.11", "identifiers" : { "summary" : "XSS", "retid" : "16" }, "severity" : "medium", "info": [ "https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md#ckeditor-4511" ] }, { "below" : "4.9.2", "atOrAbove" : "4.5.11", "identifiers" : { "summary" : "XSS if the enhanced image plugin is installed", "retid" : "17" }, "severity" : "medium", "info": [ "https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/", "https://ckeditor.com/cke4/release-notes" ] }, { "atOrAbove" : "4.0.0", "below" : "4.11.0", "identifiers" : { "summary" : "XSS vulnerability in the HTML parser", "retid" : "18" }, "severity" : "medium", "info" : [ "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/", "https://snyk.io/vuln/SNYK-JS-CKEDITOR-72618" ] }, { "below" : "4.15.1", "identifiers" : { "summary" : "XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog", "retid" : "19" }, "severity" : "medium", "info" : [ "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-4151" ] }, { "below" : "4.14.0", "identifiers" : { "summary" : "XSS", "retid" : "20" }, "severity" : "low", "info": [ "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-414" ] }, { "below" : "4.16.0", "identifiers" : { "summary" : "ReDoS vulnerability in Autolink plugin and Advanced Tab for Dialogs plugin", "retid" : "21" }, "severity" : "low", "info": [ "https://ckeditor.com/cke4/release/CKEditor-4.16.0" ] }, { "below" : "4.16.2", "identifiers" : { "summary" : "XSS vulnerability in the Clipboard plugin", "CVE": [ "CVE-2021-32809" ] }, "severity" : "low", "info": [ "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg" ] }, { "below" : "4.16.2", "identifiers" : { "summary" : "XSS vulnerability in the Widget plugin", "CVE": [ "CVE-2021-32808" ] }, "severity" : "low", "info": [ "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c" ] }, { "below" : "4.16.2", "identifiers" : { "summary" : "XSS vulnerability in the Fake Objects plugin", "CVE": [ "CVE-2021-37695" ] }, "severity" : "medium", "info": [ "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc" ] }, { "below" : "4.17.0", "identifiers" : { "summary" : "XSS vulnerabilities in the core module", "CVE": [ "CVE-2021-41164", "CVE-2021-41165" ] }, "severity" : "medium", "info": [ "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj", "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2" ] }, { "below" : "4.18.0", "identifiers" : { "summary" : "Inject malformed URL to bypass content sanitization for XSS", "CVE": [ "CVE-2022-24728" ] }, "severity" : "low", "info": [ "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh" ] } ], "extractors" : { "uri" : [ "/(§§version§§)/ckeditor(\\.min)?\\.js" ], "filename" : [ "ckeditor-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "ckeditor..js.{4,20}=\\{timestamp:\"[^\"]+\",version:\"(§§version§§)", "window.CKEDITOR=function\\(\\)\\{var [a-z]=\\{timestamp:\"[^\"]+\",version:\"(§§version§§)" ], "hashes" : {}, "func" : [ "CKEDITOR.version" ] } }, "ckeditor5" : { "vulnerabilities": [ { "below" : "10.0.1", "identifiers" : { "summary" : "XSS in the link package", "CVE": [ "CVE-2018-11093" ] }, "severity" : "low", "info": [ "https://ckeditor.com/blog/CKEditor-5-v10.0.1-released/" ] }, { "below" : "25.0.0", "identifiers" : { "summary" : "ReDos in several packages", "CVE": [ "CVE-2021-21254" ] }, "severity" : "low", "info": [ "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wr" ] }, { "below" : "27.0.0", "identifiers" : { "summary" : "ReDos in several packages", "CVE": [ "CVE-2021-21391" ] }, "severity" : "low", "info": [ "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-3rh3-wfr4-76mj" ] }, { "below" : "35.0.0", "identifiers" : { "summary" : "security fix for the Markdown GFM, HTML support and HTML embed packages", "CVE": [ "CVE-2022-31175" ] }, "severity" : "low", "info": [ "https://github.com/ckeditor/ckeditor5/compare/v34.2.0...v35.0.0", "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-42wq-rch8-6f6j" ] } ], "extractors" : { "uri" : [ "/(§§version§§)/ckeditor5(\\.min)?\\.js" ], "filename" : [ "ckeditor5-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "const .=\"(§§version§§)\";.{0,140}?\\.CKEDITOR_VERSION=.;", "CKEDITOR_VERSION=\"(§§version§§)\"" ], "hashes" : {}, "func" : [ "CKEDITOR_VERSION" ] } }, "vue" : { "vulnerabilities" : [ { "below" : "2.6.11", "severity" : "medium", "identifiers" : { "summary" : "Bump vue-server-renderer's dependency of serialize-javascript to 2.1.2", "retid" : "10" }, "info" : [ "https://github.com/vuejs/vue/releases/tag/v2.6.11" ] }, { "below" : "2.5.17", "severity" : "medium", "identifiers" : { "summary" : "potential xss in ssr when using v-bind", "retid" : "11" }, "info" : [ "https://github.com/vuejs/vue/releases/tag/v2.5.17" ] }, { "below" : "2.4.3", "severity" : "medium", "identifiers" : { "summary" : "possible xss vector", "retid" : "12" }, "info" : [ "https://github.com/vuejs/vue/releases/tag/v2.4.3" ] } ], "extractors" : { "uri" : [ "/vue@(§§version§§)/dist/vue\\.js", "/vue/(§§version§§)/vue\\..*\\.js", "/npm/vue@(§§version§§)" ], "filename" : [ "vue-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "/\\*!\\n \\* Vue.js v(§§version§§)", "Vue.version = '(§§version§§)';", "'(§§version§§)'[^\\n]{0,8000}Vue compiler", "\\* Original file: /npm/vue@(§§version§§)/dist/vue.(global|common).js", "const version[ ]*=[ ]*\"(§§version§§)\";[\\s]*/\\*\\*[\\s]*\\* SSR utils for \\\\@vue/server-renderer", "\\.__vue_app__=.{0,8000}?const [a-z]+=\"(§§version§§)\"," ], "func" : [ "Vue.version" ] } }, "ExtJS" : { "vulnerabilities" : [ { "below" : "6.6.0", "atOrAbove" : "4.0.0", "severity" : "medium", "identifiers" : { "CVE" : [ "CVE-2018-8046" ], "summary" : "XSS in Sencha Ext JS 4 to 6 via getTip() method of Action Columns" }, "info" : [ "http://seclists.org/fulldisclosure/2018/Jul/8", "https://nvd.nist.gov/vuln/detail/CVE-2018-8046" ] }, { "below" : "6.0.0", "severity" : "high", "identifiers" : { "CVE" : [ "CVE-2007-2285" ], "summary" : "Directory traversal and arbitrary file read" }, "info" : [ "https://www.cvedetails.com/cve/CVE-2007-2285/", "https://packetstormsecurity.com/files/132052/extjs-Arbitrary-File-Read.html", "https://www.akawebdesign.com/2018/08/14/should-js-frameworks-prevent-xss/" ] }, { "below" : "4.0.0", "atOrAbove" : "3.0.0", "severity" : "medium", "identifiers" : { "CVE" : [ "CVE-2010-4207", "CVE-2012-5881" ], "summary" : "XSS vulnerability in ExtJS charts.swf" }, "info" : [ "https://www.acunetix.com/vulnerabilities/web/extjs-charts-swf-cross-site-scripting", "https://typo3.org/security/advisory/typo3-core-sa-2014-001/", "https://www.akawebdesign.com/2018/08/14/should-js-frameworks-prevent-xss/" ] } ], "extractors" : { "uri" : [ "/extjs/(§§version§§)/.*\\.js" ], "filename" : [ "/ext-all-(§§version§§)(\\.min)?\\.js", "/ext-all-debug-(§§version§§)(\\.min)?\\.js", "/ext-base-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "/*!\n * Ext JS Library (§§version§§)" ], "func" : [ "Ext && Ext.versions && Ext.versions.extjs.version", "Ext && Ext.version" ] } }, "svelte" : { "vulnerabilities" : [ { "below" : "3.49.0", "severity" : "medium", "identifiers": { "summary": "XSS", "issue" : "7530" }, "info" : [ "https://github.com/sveltejs/svelte/pull/7530" ] }, { "below" : "3.46.5", "severity" : "medium", "identifiers": { "summary": "XSS", "retid" : "8" }, "info" : [ "https://github.com/sveltejs/svelte/pull/7333" ] }, { "below" : "2.9.8", "severity" : "medium", "identifiers": { "summary": "XSS", "retid" : "9" }, "info" : [ "https://github.com/sveltejs/svelte/pull/1623" ] } ], "extractors" : { "uri" : [ "/svelte@(§§version§§)/" ], "filename" : [ "svelte[@\\-](§§version§§)(.min)?\\.m?js" ], "filecontent" : [ "generated by Svelte v\\$\\{['\"](§§version§§)['\"]\\}", "version: '(§§version§§)' [\\s\\S]{80,200}'SvelteDOMInsert'", "VERSION = '(§§version§§)'[\\s\\S]{21,200}parse\\$[0-9][\\s\\S]{10,80}preprocess", "var version\\$[0-9] = \"(§§version§§)\";[\\s\\S]{10,30}normalizeOptions\\(options\\)[\\s\\S]{80,200}'SvelteComponent.html'" ], "func" : [ "svelte.VERSION" ] } }, "axios" : { "vulnerabilities" : [ { "below" : "0.21.3", "severity": "high", "identifiers": { "summary": "Axios is vulnerable to Inefficient Regular Expression Complexity", "CVE": [ "CVE-2021-3749" ] }, "info" : [ "https://security.snyk.io/vuln/SNYK-JS-AXIOS-1579269", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3749"] }, { "below" : "0.21.1", "severity": "medium", "identifiers": { "summary": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability", "CVE": [ "CVE-2020-28168" ] }, "info" : [ "https://security.snyk.io/vuln/SNYK-JS-AXIOS-1038255", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168"] }, { "below" : "0.18.1", "severity": "medium", "identifiers": { "summary": "Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded", "CVE": [ "CVE-2019-10742" ] }, "info" : [ "https://security.snyk.io/vuln/SNYK-JS-AXIOS-174505", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10742"] } ], "extractors" : { "uri" : [ "/axios/(§§version§§)/.*\\.js" ], "filename" : [ "axios-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "/\\* *axios v(§§version§§) " ], "func" : [ "axios && axios.VERSION" ] } }, "markdown-it": { "vulnerabilities": [ { "below": "12.3.2", "severity": "medium", "identifiers": { "summary": "Regular Expression Denial of Service (ReDoS)", "CVE": [ "CVE-2022-21670" ] }, "info": [ "https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914", "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md", "https://nvd.nist.gov/vuln/detail/CVE-2022-21670" ] }, { "below": "10.0.0", "severity": "medium", "identifiers": { "summary": "Regular Expression Denial of Service (ReDoS)", "retid" : "6" }, "info": [ "https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-459438", "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md" ] }, { "below": "4.3.1", "atOrAbove": "4.0.0", "severity":"medium", "identifiers": { "summary": "Cross-site Scripting (XSS)", "retid" : "7" }, "info": [ "https://security.snyk.io/vuln/npm:markdown-it:20150702", "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md" ] }, { "below": "4.1.0", "severity":"medium", "identifiers": { "summary": "Cross-site Scripting (XSS)", "CVE": [ "CVE-2015-3295" ] }, "info": [ "https://security.snyk.io/vuln/npm:markdown-it:20160912", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-3295", "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md" ] } ], "extractors": { "uri": [ "/markdown-it[/@](§§version§§)/?.*\\.js" ], "filename": [ "markdown-it-(§§version§§)(\\.min)?\\.js" ], "filecontent": [ "/\\*! markdown-it(?:-ins)? (§§version§§)" ], "func": [ ] } }, "jszip": { "vulnerabilities": [ { "below": "3.8.0", "severity": "medium", "identifiers": { "summary": "Santize filenames when files are loaded with loadAsync, to avoid “zip slip” attacks.", "retid" : "5" }, "info": [ "https://stuk.github.io/jszip/CHANGES.html" ] }, { "below": "3.7.0", "severity": "medium", "identifiers": { "summary": "Denial of Service (DoS)", "CVE": [ "CVE-2021-23413" ] }, "info": [ "https://security.snyk.io/vuln/SNYK-JS-JSZIP-1251497", "https://nvd.nist.gov/vuln/detail/CVE-2021-23413" ] } ], "extractors": { "uri": [ "/jszip[/@](§§version§§)/.*\\.js" ], "filename": [ "jszip-(§§version§§)(\\.min)?\\.js" ], "filecontent": [ "/\\*![ \n]+JSZip v(§§version§§) " ], "func": [ "JSZip && JSZip.version" ] } }, "AlaSQL": { "vulnerabilities" : [ { "below" : "0.7.0", "severity" : "high", "identifiers" : { "bug" : "SNYK-JS-ALASQL-1082932", "summary" : "An arbitrary code execution exists as AlaSQL doesn't sanitize input when characters are placed between square brackets [] or preceded with a backtik (accent grave) ` character. Versions older that 0.7.0 were deprecated in March of 2021 and should no longer be used." }, "info" : [ "https://security.snyk.io/vuln/SNYK-JS-ALASQL-1082932" ] } ], "extractors" : { "uri": [ "/alasql[/@](§§version§§)/.*\\.js" ], "filename" : [ "alasql-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "/\\*!?[ \n]*AlaSQL v(§§version§§)" ], "func" : [ "alasql && alasql.version" ] } }, "jquery.datatables" : { "vulnerabilities" : [ { "below" : "1.11.3", "severity" : "low", "identifiers" : { "summary" : "possible XSS", "retid": "2" }, "info" : [ "https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b", "https://cdn.datatables.net/1.11.3/" ] }, { "below" : "1.10.23", "severity" : "high", "identifiers" : { "summary" : "prototype pollution", "retid" : "3" }, "info" : [ "https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03", "https://cdn.datatables.net/1.10.23/" ] }, { "below" : "1.10.22", "severity" : "medium", "identifiers" : { "summary" : "prototype pollution", "retid" : "4" }, "info" : [ "https://cdn.datatables.net/1.10.22/" ] }, { "below" : "1.10.10", "severity" : "high", "identifiers" : { "CVE" : [ "CVE-2015-6584" ], "summary" : "XSS" }, "info" : [ "https://github.com/DataTables/DataTablesSrc/commit/ccf86dc5982bd8e16d", "https://www.invicti.com/web-applications-advisories/cve-2015-6384-xss-vulnerability-identified-in-datatables/", "https://github.com/advisories/GHSA-4mv4-gmmf-q382" ] } ], "extractors" : { "uri": [ "/(§§version§§)/(js/)?jquery.dataTables(.min)?.js" ], "filename" : [ "jquery.dataTables-(§§version§§)(\\.min)?\\.js" ], "filecontent" : [ "http://www.datatables.net\n +DataTables (§§version§§)", "/\\*! DataTables (§§version§§)", "u.version=\"(§§version§§)\";u.settings=\\[\\];u.models=\\{\\};u.models.oSearch" ], "func" : [ "DataTable && DataTable.version" ] } }, "nextjs" : { "vulnerabilities" : [ { "atOrAbove" : "10.0.0", "below" : "12.1.0", "severity" : "medium", "identifiers" : { "summary" : "Improper CSP in Image Optimization API", "CVE" : [ "CVE-2022-23646" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj" ] }, { "atOrAbove" : "12.0.0", "below" : "12.0.9", "severity" : "medium", "identifiers" : { "summary" : "DOS Vulnerability for self-hosted next.js apps", "CVE" : [ "CVE-2022-21721" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x" ] }, { "below" : "11.1.3", "severity" : "high", "identifiers" : { "summary" : "Unexpected server crash in Next.js versions", "CVE" : [ "CVE-2021-43803" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx" ] }, { "atOrAbove" : "12.0.0", "below" : "12.0.5", "severity" : "high", "identifiers" : { "summary" : "Unexpected server crash in Next.js versions", "CVE" : [ "CVE-2021-43803" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx" ] }, { "atOrAbove" : "10.0.0", "below" : "11.1.1", "severity" : "medium", "identifiers" : { "summary" : "XSS in Image Optimization API", "CVE" : [ "CVE-2021-39178" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m" ] }, { "below" : "11.1.0", "severity" : "medium", "identifiers" : { "summary" : "Open Redirect in Next.js", "CVE" : [ "CVE-2021-37699" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9" ] }, { "atOrAbove" : "9.5.0", "below" : "9.5.4", "severity" : "medium", "identifiers" : { "summary" : "Open Redirect in Next.js", "CVE" : [ "CVE-2020-15242" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435" ] }, { "below" : "9.3.2", "severity" : "medium", "identifiers" : { "summary" : "Directory Traversal in Next.js", "CVE" : [ "CVE-2020-5284" ] }, "info" : [ "https://github.com/vercel/next.js/security/advisories/GHSA-fq77-7p7r-83rj" ] } ], "extractors" : { "filecontent" : [ "version=\"(§§version§§)\".{1,1500}document\\.getElementById\\(\"__NEXT_DATA__\"\\)\\.textContent", "document\\.getElementById\\(\"__NEXT_DATA__\"\\)\\.textContent\\);window\\.__NEXT_DATA__=.;.\\.version=\"(§§version§§)\"" ], "func" : [ "next && next.version" ] } }, "dont check" : { "extractors" : { "uri" : [ "^http[s]?://(ssl|www).google-analytics.com/ga.js", "^http[s]?://apis.google.com/js/plusone.js", "^http[s]?://cdn.cxense.com/cx.js" ] } } }