Protected: Password Leak – Version 76.0.3809.132 (Official Build) (64-bit)
There is no excerpt because this is a protected post.
There is no excerpt because this is a protected post.
— samples/bootstrap/js/bootstrap.min.js – bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: …
— samples/bootstrap/js/bootstrap.min.js – bootstrap 3.0.2 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: …
https://github.com/CachetHQ/Cachet version v2.3.18 — public/dist/js/all.933ef52c701c02556f3b7fa32b0d5f5d.js – jquery 2.2.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in …
Continue reading “Open Source Dependency Vulnerability – Cachet Version v2.3.18”
/work/OSD/repo/upload/admin/view/javascript/ckeditor/ckeditor.js ↳ ckeditor 4.9.1 has known vulnerabilities: severity: medium; summary: XSS if the enhanced image plugin is installed; https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/ https://ckeditor.com/cke4/release-notes severity: medium; summary: XSS vulnerability in the HTML parser; https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/ https://snyk.io/vuln/SNYK-JS-CKEDITOR-72618 /work/OSD/repo/upload/admin/view/javascript/jquery/jquery-3.3.1.min.js ↳ jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, …
Continue reading “OpenCart v3.0.3.2 Multiple Open Source Dependency Vulnerabilities”
Located in /public/js/app.js ↳ jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
An open-source dependency vulnerability affects WPEngine’s PHPCompat module on https://github.com/wpengine/phpcompat /src/js/handlebars.js ↳ handlebars.js 4.0.3 has known vulnerabilities: severity: high; summary: A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template; https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692 https://github.com/wycats/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86 severity: high; summary: A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template; …
Continue reading “WPEngine Open-Source Dependency Vulnerability”
I decided to scan RetireJS using its own codebase, and discovered the following issues in RetireJS: /home/omi/clients/retire/firefox/test/web/dojo.js ↳ dojo 1.4.2 has known vulnerabilities: severity: medium; PR: 307; https://github.com/dojo/dojo/pull/307 https://dojotoolkit.org/blog/dojo-1-14-released /home/omi/clients/retire/firefox/test/web/retire-example-0.0.1.js ↳ retire-example 0.0.1 has known vulnerabilities: severity: low; CVE: CVE-XXXX-XXXX, bug: 1234, summary: bug summary; http://github.com/eoftedal/retire.js/ /home/omi/clients/retire/firefox/test/web/retire-example.js ↳ retire-example 0.0.1 has known vulnerabilities: severity: low; …
Continue reading “RetireJS Vulnerabilities Identified With RetireJS”
Recently, I communicated 3 serious security vulnerabilities that affected major a Java-based CMS that powers. I sent a message via e-mail, and they quickly released a “hot fix” that was merely hiding the vulnerable files behind their authentication system. The reason this is not an effective way to protect your digital applications is because an …
dotCMS v5.1.1 suffers from an Open Redirect Vulnerability, in addition to many other vulnerabilities that I am still verifying. The following URL is a proof-of-concept that requires a user to be logged in. Simply login to the demo before visiting the supplied POC. Logging into the demo requires you to go to https://demo.dotcms.com/dotAdmin and log …
Continue reading “dotCMS v5.1.1 Open Redirect Vulnerability”
Adrian Support
You
