Description
There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Recommendation
Update the knockout package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.5.0
- Patched version(s): 3.5.0
References
- GHSA-vcjj-xf2r-mwvc
- bugzilla.redhat.com
- snyk.io
- www.oracle.com
- www.whitesourcesoftware.com
- CVE-2019-14862
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- auth0-lock vulnerable to XSS via unsanitized placeholder property - CVE-2019-20174
- Cross-Site Scripting (XSS) in Verdaccio - CVE-2019-14772
- XSS in jQuery as used in Drupal, Backdrop CMS, and other products - CVE-2019-11358
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Tags:
- npm
- knockout
Anything's wrong? Let us know Last updated on February 01, 2023