Skip to content

Just wanted to thank you for taking the time to work on these projects #55

New issue
New issue
Open
Open
Just wanted to thank you for taking the time to work on these projects#55
@djsubstance

Description

@djsubstance
djsubstance
opened on Nov 1, 2023

I assume your familiar with retire[dot]js'

am wondering if its possible if maybe we could work together, if you have a handle on the JS vulns, and really show whats possible or not. not just say hi med low, when most of the time a local DOM XSS is all u can do

.. for isntance - mozilla observatory -

chart.js 2.9.3 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:HighPrototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w1 High Prototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w 1
High Prototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w 1
chart.js 2.9.3 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:HighPrototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w1 High Prototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w 1
High Prototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w 1
jquery 3.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:MediumCVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px21MediumCVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j61 Medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 1
Medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 1
Medium CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 1
jquery 3.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:MediumCVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px21MediumCVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j61 Medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 1
Medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 1
Medium CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 1
moment.js 2.24.0 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:HighThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c41HighRegular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129 GHSA-wc69-rhjr-hc9g12 High This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c4 1
High This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c4 1
High Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129 GHSA-wc69-rhjr-hc9g 12
moment.js 2.24.0 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:HighThis vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c41HighRegular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129 GHSA-wc69-rhjr-hc9g12 High This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c4 1
High This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c4 1
High Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129 GHSA-wc69-rhjr-hc9g 12
bootstrap 4.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js
bootstrap 4.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js


Retire.js
chart.js 2.9.3 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:
High Prototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w 1
chart.js 2.9.3 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:
High Prototype pollution in chart.js CVE-2020-7746 GHSA-h68q-55jf-x68w 1
jquery 3.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:
Medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 1
Medium CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 1
jquery 3.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:
Medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 1
Medium CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 1
moment.js 2.24.0 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:
High This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c4 1
High Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129 GHSA-wc69-rhjr-hc9g 12
moment.js 2.24.0 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js _____Vulnerability info:
High This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785 GHSA-8hfj-j24r-96c4 1
High Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129 GHSA-wc69-rhjr-hc9g 12
bootstrap 4.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js
bootstrap 4.4.1 Found in https://observatory.mozilla.org/2cb30c2cc2cff949876d.index.js

thx again
[email protected]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions