kiwitcms/Kiwi

Vulnerabilities 2 via 4 paths
Dependencies 66
Source GitHub
Commit 9e2d2f33

Snyk continuously finds and fixes vulnerabilities in your dependencies.

Filter by issue type
  • 2
Filter by issue policy
  • 0
  • 0
medium severity

Cross-Site Scripting (XSS)

  • Vulnerable module: bootstrap
  • Introduced through: patternfly@3.58.0

Detailed paths

  • Introduced through: undefined@kiwitcms/Kiwi#9e2d2f337a1dcc1b7f1c82748382b7585798b156 patternfly@3.58.0 bootstrap@3.3.7
  • Introduced through: undefined@kiwitcms/Kiwi#9e2d2f337a1dcc1b7f1c82748382b7585798b156 patternfly@3.58.0 eonasdan-bootstrap-datetimepicker@4.17.47 bootstrap@3.3.7
  • Introduced through: undefined@kiwitcms/Kiwi#9e2d2f337a1dcc1b7f1c82748382b7585798b156 patternfly@3.58.0 patternfly-bootstrap-treeview@2.1.7 bootstrap@3.3.7

Overview

bootstrap is an sleek, intuitive, and powerful front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute.

Details

Cross-Site Scripting (XSS) attacks occur when an attacker tricks a user’s browser to execute malicious JavaScript code in the context of a victim’s domain. Such scripts can steal the user’s session cookies for the domain, scrape or modify its content, and perform or modify actions on the user’s behalf, actions typically blocked by the browser’s Same Origin Policy.

These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like < > " ' are not escaped properly.

There are a few types of XSS:

  • Persistent XSS is an attack in which the malicious code persists into the web app’s database.
  • Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
  • DOM-based XSS is an that occurs purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page. DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.

Remediation

The vulnerability has been fixed in versions 3.4.0 and 4.0.0-beta.2 but these versions haven't been released to npm as of Jan 19th, 2018.

References

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: simplemde
  • Introduced through: simplemde@1.11.2

Detailed paths

  • Introduced through: undefined@kiwitcms/Kiwi#9e2d2f337a1dcc1b7f1c82748382b7585798b156 simplemde@1.11.2

Overview

simplemde is a drop-in JavaScript textarea replacement for writing beautiful and understandable Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks via an onerror attribute of a crafted IMG element.

Details

Cross-Site Scripting (XSS) attacks occur when an attacker tricks a user’s browser to execute malicious JavaScript code in the context of a victim’s domain. Such scripts can steal the user’s session cookies for the domain, scrape or modify its content, and perform or modify actions on the user’s behalf, actions typically blocked by the browser’s Same Origin Policy.

These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like < > " ' are not escaped properly.

There are a few types of XSS:

  • Persistent XSS is an attack in which the malicious code persists into the web app’s database.
  • Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
  • DOM-based XSS is an that occurs purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page. DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.

Remediation

There is no fix version for simplemde.

References