Description
There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Recommendation
Update the knockout package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.5.0
- Patched version(s): 3.5.0
References
- GHSA-vcjj-xf2r-mwvc
- bugzilla.redhat.com
- snyk.io
- www.oracle.com
- www.whitesourcesoftware.com
- CVE-2019-14862
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- knockout
Anything's wrong? Let us know Last updated on February 01, 2023