Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo2cDItY3gzdy02amNw

Moderate CVSS: 5.4 EPSS: 0.00191% (0.41259 Percentile) EPSS:
Permalink JSON

Cross-Site Scripting in backbone

Affected Packages Affected Versions Fixed Versions
npm:backbone
PURL: pkg:npm/backbone
>= 0.3.3, < 0.5.0 0.5.0
1,711 Dependent packages
34,984 Dependent repositories
4,233,755 Downloads last month

Affected Version Ranges

All affected versions

0.3.3

All unaffected versions

0.1.1, 0.1.2, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.9.0, 0.9.1, 0.9.2, 0.9.9, 0.9.10, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.6.1

Potentially Affected Packages

These packages share the same source repository and may be affected by this vulnerability, but are not listed in the advisory.

Package Ecosystem Latest Version Classification
@fengzie/backbone npm Likely Fork
github.com/jashkenas/backbone go v1.3.0 Repackage
backbone bower Repackage

Affected versions of backbone are vulnerable to cross-site scripting when users are allowed to supply input to the Model#Escape function, and the output is then written to the DOM.

The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take HTML Entities such as &#60; into account.

Recommendation

Update to version 0.5.0 or later.

References:

Identifiers

GHSA-j6p2-cx3w-6jcp

CVE-2016-10537

Risk

Severity

Moderate

CVSS

CVSS Score: 5.4

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

EPSS Percentage: 0.00191

EPSS Percentile: 0.41259

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jashkenas/backbone
View on Ecosyste.ms

Date and time

Published

over 7 years ago

Updated

2 months ago

API

JSON