js-given

JavaScript frontend to jgiven.

Known vulnerabilities0
Vulnerable paths0
Dependencies136

No known vulnerabilities found

Add a badge

Add a Snyk badge to the README file to show that this project is free of vulnerabilities.

Known Vulnerabilities

<a href="https://snyk.io/test/github/jsgiven/jsgiven"><img src="https://snyk.io/test/github/jsgiven/jsgiven/badge.svg?targetFile=js-given%2Fpackage.json" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/github/jsgiven/jsgiven?targetFile=js-given%2Fpackage.json" style="max-width:100%;"></a>
[![Known Vulnerabilities](https://snyk.io/test/github/jsgiven/jsgiven/badge.svg?targetFile=js-given%2Fpackage.json)](https://snyk.io/test/github/jsgiven/jsgiven?targetFile=js-given%2Fpackage.json)

See our badges documentation for more details.

Content & Code Injection (XSS)

Vulnerability ignored for: jgiven-html-app@0.16.2.
Reason: JsGiven's report is a static website, XSS injections are technically possible only by modifying the hosted files, the vulnerability can be ignored.

high severity
  • Vulnerable module: marked
  • Introduced through: jgiven-html-app@0.16.2

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven#86c0455569425ee0cb1d8b96970aa95fb4ef50ff jgiven-html-app@0.16.2 modernizr@3.3.1 marked@0.3.5

Overview

marked is a markdown parser and compiler used for rendering markdown content to html. It is vulnerable to content injection attack allowing the attacker to bypass its output sanitization (sanitize: true) protection. Using the HTML Coded Character Set, attackers can inject javascript: code snippets into the output. For example, the following input javascript&#x58document;alert&#40;1&#41; will result in alert(1) being executed when the user clicks on the link.

Remediation

Upgrade marked to version 0.3.6 or higher. Also, you can patch the vulnerability using Snyk wizard. Alternatively you can use remarkable or other markdown libraries.

References

Cross-site Scripting (XSS) via Data URIs

Vulnerability ignored for: jgiven-html-app@0.16.2.
Reason: JsGiven's report is a static website, XSS injections are technically possible only by modifying the hosted files, the vulnerability can be ignored.

high severity
  • Vulnerable module: marked
  • Introduced through: jgiven-html-app@0.16.2

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven#86c0455569425ee0cb1d8b96970aa95fb4ef50ff jgiven-html-app@0.16.2 modernizr@3.3.1 marked@0.3.5

Overview

marked is a markdown parser and compiler used for rendering markdown content to html. Affected versions of the package allowed the use of data: URIs for all mime types by default potentially opening a door for Cross-site Scripting (XSS) attacks.

Details

Data URIs enable embedding small files in line in HTML documents, provided in the URL itself. Attackers can craft malicious web pages containing either HTML or script code that utilizes the data URI scheme, allowing them to bypass access controls or steal sensitive information.

An example of data URI used to deliver javascript code. The data holds <script>alert('XSS')</script> tag in base64 encoded format.

[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
            

Remediation

The fix is merged to the master branch but not yet published to npm. We recommend patching it using Snyk wizard.

References

Content Security Policy (CSP) Bypass

Vulnerability ignored for: jgiven-html-app@0.16.2.
Reason: JsGiven's report is a static website, XSS injections are technically pos

medium severity
  • Vulnerable module: angular
  • Introduced through: jgiven-html-app@0.16.2

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven#86c0455569425ee0cb1d8b96970aa95fb4ef50ff jgiven-html-app@0.16.2 angular@1.5.8

Overview

angular is an open-source JavaScript framework, maintained by Google, that assists with running single-page applications with the goal of making development and testing easier by augmenting browser-based applications with model–view–controller (MVC) capability.

Affected versions of the package are vulnerable to CSP Bypass. Extension URIs (resource://...) bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacker can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection.

Remediation

Upgrade angular to version 1.5.9 or higher.

References

Cross-site Scripting (XSS)

Vulnerability ignored for: jgiven-html-app@0.16.2.
Reason: JsGiven's report is a static website, XSS injections are technically pos

medium severity
  • Vulnerable module: foundation-sites
  • Introduced through: jgiven-html-app@0.16.2

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven#86c0455569425ee0cb1d8b96970aa95fb4ef50ff jgiven-html-app@0.16.2 foundation-sites@5.5.3

Overview

foundation-sites is an advanced responsive front-end framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to an insufficient fix to npm:foundation-sites:20150619

Thanks to Nathaniel Paulus for disclosing this vulnerability!

Details

Although innerHTML does not make script tags executable, script tags are not the only way to run arbitrary code.

This vulnerability was introduced in a deliberate attempt to allow HTML in captions. The file was subsequently deleted when version 6 was merged into the develop branch in 1e08494bb2118c9786ffc33c28158311cd542bcb. Confirmation of its removal (as well as plans to re-add it) can be found in issue 7759

You can read more about Cross-site Scripting (XSS) on our blog.

Disclosure Timeline

  • March 14th, 2017 - Responsible Disclosure and PoC sent by Nathaniel Paulus.
  • April 13th, 2017 - Disclosure to first contact @foundation-sites
  • May 14th, 2017 - Disclosure to first and secondary contacts @foundation-sites
  • June 12th, 2017 - After no response from either contact, PoC sent to both contacts.
  • August 2nd, 2017 - Vulnerability made public.

Remediation

Upgrade foundation-sites to version 6.0.0 or higher.

JSONP Callback Attack

Vulnerability ignored for: jgiven-html-app@0.16.2.
Reason: JsGiven's report is a static website, XSS injections are technically pos

medium severity
  • Vulnerable module: angular
  • Introduced through: jgiven-html-app@0.16.2

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven#86c0455569425ee0cb1d8b96970aa95fb4ef50ff jgiven-html-app@0.16.2 angular@1.5.8

Overview

angular is an open-source JavaScript framework, maintained by Google, that assists with running single-page applications with the goal of making development and testing easier by augmenting browser-based applications with model–view–controller (MVC) capability. Affected versions of the package are vulnerable to JSONP Callbacks attacks. JSONP requests allow full access to the browser and the JavaScript context.

Remediation

Upgrade angular to version 1.6.1 or higher.

References