org.webjars.bower:urijs@1.19.1 vulnerabilities

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in the URI.parse() function, which makes it possible to use \r, \n\, and \t characters.

Upgrade org.webjars.bower:urijs to version 1.19.11 or higher.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Misinterpretation of Input when parsing a URL without a scheme and with excessive slashes.

There is no fixed version for org.webjars.bower:urijs.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Open Redirect by bypassing the fix for CVE-2022-0613 an attacker is still able to redirect.

There is no fixed version for org.webjars.bower:urijs.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Improper Input Validation due to a possible bypass to the protocol validation, using leading whitespaces.

Upgrade org.webjars.bower:urijs to version 1.19.9 or higher.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Open Redirect. An attacker can use case-insensitive protocol schemes in order to bypass the patch to CVE-2021-3647.

There is no fixed version for org.webjars.bower:urijs.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Open Redirect. It mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers usually accept backslashes after the protocol, and treat it as a normal slash.

PoC

var URI = require('urijs');
var url = new URI("https:/\/\/\www.google.com");
console.log(url);  // Which will return -->  path: "/www.google.com"

There is no fixed version for org.webjars.bower:urijs.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Prototype Pollution via parseQuery().

There is no fixed version for org.webjars.bower:urijs.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Improper Input Validation. It mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

There is no fixed version for org.webjars.bower:urijs.

org.webjars.bower:urijs is a Javascript library for working with URLs.

Affected versions of this package are vulnerable to Improper Input Validation. The hostname could be spoofed by using a backslash (`)character followed by an at(@)` character.

There is no fixed version for org.webjars.bower:urijs.