1588540 – (CVE-2016-10537) CVE-2016-10537 nodejs-backbone: Cross Site Scripting in the Model#Escape function

Bug 1588540 (CVE-2016-10537) - CVE-2016-10537 nodejs-backbone: Cross Site Scripting in the Model#Escape function

Summary: CVE-2016-10537 nodejs-backbone: Cross Site Scripting in the Model#Escape func...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2016-10537
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-07 13:55 UTC by Pedro Sampaio
Modified:	2021-02-17 00:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:	nodejs-backbone 0.5.0
Clone Of:
Environment:
Last Closed:	2018-06-07 13:57:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2018-06-07 13:55:46 UTC

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input. This is due to the regex that's replacing things to miss the conversion of things such as `<` to `<`.

External references:

https://nodesecurity.io/advisories/108

Comment 1 Pedro Sampaio 2018-06-07 13:57:56 UTC

Community only, already fixed. Current version is > then 0.5.0.

Note You need to log in before you can comment on or make changes to this bug.