search

snowdensb / braindump

BrainDump is a simple, powerful, and open note taking platform that makes it easy to organize your life.
MIT License
0 stars 0 forks source link

bootstrap-tagsinput-0.7.1.tgz: 2 vulnerabilities (highest severity is: 7.3) unreachable #190

Open mend-for-github-com[bot] opened 6 months ago

mend-for-github-com[bot] commented 6 months ago
Vulnerable Library - bootstrap-tagsinput-0.7.1.tgz

jQuery plugin providing a Twitter Bootstrap user interface for managing tags.

Library home page: https://registry.npmjs.org/bootstrap-tagsinput/-/bootstrap-tagsinput-0.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bootstrap-tagsinput/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bootstrap-tagsinput version) Remediation Possible** Reachability
WS-2016-0041 High 7.3 bootstrap-tagsinput-0.7.1.tgz Direct org.webjars.bower:bootstrap-tagsinput - 0.8.0;Shared.Plugins - 1.0.6;ClientApp.Web - 2.0.0.1

Unreachable
CVE-2016-1000227 High 7.3 bootstrap-tagsinput-0.7.1.tgz Direct N/A

Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2016-0041 ### Vulnerable Library - bootstrap-tagsinput-0.7.1.tgz

jQuery plugin providing a Twitter Bootstrap user interface for managing tags.

Library home page: https://registry.npmjs.org/bootstrap-tagsinput/-/bootstrap-tagsinput-0.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bootstrap-tagsinput/package.json

Dependency Hierarchy: - :x: **bootstrap-tagsinput-0.7.1.tgz** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

In rendr-handlebarsthere are double-escaped data attributes in client side view placeholder that cause a potential XSS attack

Publish Date: 2016-03-11

URL: WS-2016-0041

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2016-0041

Release Date: 2016-03-11

Fix Resolution: org.webjars.bower:bootstrap-tagsinput - 0.8.0;Shared.Plugins - 1.0.6;ClientApp.Web - 2.0.0.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-1000227 ### Vulnerable Library - bootstrap-tagsinput-0.7.1.tgz

jQuery plugin providing a Twitter Bootstrap user interface for managing tags.

Library home page: https://registry.npmjs.org/bootstrap-tagsinput/-/bootstrap-tagsinput-0.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bootstrap-tagsinput/package.json

Dependency Hierarchy: - :x: **bootstrap-tagsinput-0.7.1.tgz** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

bootstrap-tagsinput through 0.8.0 are vulnerable to cross-site scripting when user input is passed into the itemTitle parameter unmodified, as the package fails to properly sanitize or encode user input for that parameter.

Publish Date: 2024-11-03

URL: CVE-2016-1000227

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.