Resources Downloaded over Insecure Protocol

Affecting igniteui package, versions <=0.0.5

Do your applications use this vulnerable package? Test your applications

Overview

This package downloads static resources such as js and css files and processes them locally.

The resources are downloaded over an unencrypted HTTP connection, allowing a malicious man in the middle to tamper with their content in transit.

References

CVSS Score

3.5
low severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Credit
Adam Baldwin
CVE
CVE-2016-10552
CWE
CWE-494
Snyk ID
npm:igniteui:20160804
Disclosed
31 Oct, 2016
Published
31 Oct, 2016