CVE-2019-16769 | serialize-javascript:1.9.1 (CWE-79)

[ckalpakoglu]

Due Date: 2023-01-10

A medium severity vulnerability has been discovered in your project.

Project Name: kondukto-ui-vue

Scanner Name: dependabot

Cwe ID: 79

Cwe Name: Improper Neutralization of Input During Web Page Generation (Cross Site Scripting)

Cwe Link: https://cwe.mitre.org/data/definitions/79.html

File: package-lock.json

Packages:

• serialize-javascript:1.9.1

References:

• https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx
• https://nvd.nist.gov/vuln/detail/CVE-2019-16769
• https://github.com/advisories/GHSA-h9rv-jmmf-4pgx
• https://www.npmjs.com/advisories/1426

Training(Secure Code Warrior):

• Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/xss

• Videos:

  • https://media.securecodewarrior.com/v2/Module_71_Cross%20Site%20Scripting_v2.mp4

    ---

• Name: Improper Encoding or Escaping of Output

• Description: The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection

• Videos:

---

• Name: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

• Description: The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/xss

• Videos:

  • https://media.securecodewarrior.com/v2/Module_71_Cross%20Site%20Scripting_v2.mp4

    ---

Tool Description: ### Summary

Cross-Site Scripting in serialize-javascript

Fixed Patch

2.1.1

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Recommendation

Upgrade to version 2.1.1 or later.

Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e6fe Deeplink: https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

[ckalpakoglu]

The issue has been closed by Kondukto since it is marked as mitigated.