NodeJS/backbone/0.3.2

Give your JS App some Backbone with Models, Views, Collections, and Events.

Repo Link: https://www.npmjs.com/package/backbone
License: MIT

2 Security Vulnerabilities

Cross-Site Scripting in backbone

Published date: 2019-02-18T23:39:55Z

CVE: CVE-2016-10537

Links:

Affected versions of backbone are vulnerable to cross-site scripting when users are allowed to supply input to the Model#Escape function, and the output is then written to the DOM.

The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take HTML Entities such as < into account.

Recommendation

Update to version 0.5.0 or later.

Affected versions: ["0.1.1", "0.1.2", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "0.3.3"]

Secure versions: [0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.9.0, 0.9.1, 0.9.2, 0.9.9, 0.9.10, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6.0]

Recommendation: Update to version 1.6.0.

Cross Site Scripting

Published date: 2016-05-23

CVSS Score: 6.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Coordinating vendor: ^Lift Security

Links:

https://github.com/jashkenas/backbone/compare/0.3.3...0.5.0#diff-0d56d0d310de7ff18b3cef9c2f8f75dcL1008

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON

There exists a potential Cross Site Scripting vulnerability in the Model#Escape function if a user is able to supply input.

This is due to the regex that's replacing things to miss the conversion of things such as < to <.

Affected versions: ["0.1.1", "0.1.2", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "0.3.3"]

Secure versions: [0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.9.0, 0.9.1, 0.9.2, 0.9.9, 0.9.10, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6.0]

Recommendation: Upgrade to at least version 0.5.0

31 Other Versions

Version	License	Security	Released
1.6.0	MIT		2024-02-05 - 21:19	3 months
1.5.0	MIT		2023-07-28 - 16:05	9 months
1.4.1	MIT		2022-02-26 - 00:30	about 2 years
1.4.0	MIT		2019-02-19 - 18:31	about 5 years
1.3.3	MIT		2016-04-05 - 17:45	about 8 years
1.3.2	MIT		2016-03-12 - 17:11	about 8 years
1.3.1	MIT		2016-03-04 - 03:07	about 8 years
1.2.3	MIT		2015-09-03 - 15:56	over 8 years
1.2.2	MIT		2015-08-19 - 19:05	over 8 years
1.2.1	MIT		2015-06-04 - 22:09	almost 9 years
1.2.0	MIT		2015-05-13 - 22:06	almost 9 years
1.1.2	MIT		2014-02-20 - 21:32	about 10 years
1.1.1	MIT		2014-02-13 - 19:57	about 10 years
1.1.0	MIT		2013-10-11 - 01:05	over 10 years
1.0.0	MIT		2013-03-20 - 12:16	about 11 years
0.9.10	MIT		2013-01-15 - 20:33	over 11 years
0.9.9	MIT		2012-12-13 - 22:48	over 11 years
0.9.2	MIT		2012-03-21 - 18:57	about 12 years
0.9.1	MIT		2012-02-02 - 21:55	about 12 years
0.9.0	MIT		2012-01-30 - 21:25	about 12 years
0.5.3	MIT		2011-08-09 - 14:39	over 12 years
0.5.2	MIT		2011-07-26 - 17:32	almost 13 years
0.5.1	MIT		2011-07-05 - 14:00	almost 13 years
0.5.0	MIT		2011-07-01 - 17:58	almost 13 years
0.3.3	MIT	2	2011-07-01 - 17:58	almost 13 years
0.3.2	MIT	2	2011-07-01 - 17:58	almost 13 years
0.3.1	MIT	2	2011-07-01 - 17:58	almost 13 years
0.3.0	MIT	2	2011-07-01 - 17:58	almost 13 years
0.2.0	MIT	2	2011-07-01 - 17:58	almost 13 years
0.1.2	MIT	2	2011-07-01 - 17:58	almost 13 years
0.1.1	MIT	2	2011-07-01 - 17:58	almost 13 years