org.webjars.bower:urijs@1.18.4 vulnerabilities

  • latest version

    1.19.1

  • first published

    9 years ago

  • latest version published

    6 years ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.webjars.bower:urijs package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in the URI.parse() function, which makes it possible to use \r, \n\, and \t characters.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.webjars.bower:urijs to version 1.19.11 or higher.

    [,1.19.11)
    • M
    Misinterpretation of Input

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Misinterpretation of Input when parsing a URL without a scheme and with excessive slashes.

    How to fix Misinterpretation of Input?

    There is no fixed version for org.webjars.bower:urijs.

    [0,)
    • M
    Open Redirect

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Open Redirect by bypassing the fix for CVE-2022-0613 an attacker is still able to redirect.

    How to fix Open Redirect?

    There is no fixed version for org.webjars.bower:urijs.

    [0,)
    • M
    Improper Input Validation

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Improper Input Validation due to a possible bypass to the protocol validation, using leading whitespaces.

    How to fix Improper Input Validation?

    Upgrade org.webjars.bower:urijs to version 1.19.9 or higher.

    [,1.19.9)
    • M
    Open Redirect

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Open Redirect. An attacker can use case-insensitive protocol schemes in order to bypass the patch to CVE-2021-3647.

    How to fix Open Redirect?

    There is no fixed version for org.webjars.bower:urijs.

    [0,)
    • M
    Open Redirect

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Open Redirect. It mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers usually accept backslashes after the protocol, and treat it as a normal slash.

    PoC

    var URI = require('urijs');
    var url = new URI("https:/\/\/\www.google.com");
    console.log(url);  // Which will return -->  path: "/www.google.com"
    

    How to fix Open Redirect?

    There is no fixed version for org.webjars.bower:urijs.

    [0,)
    • H
    Prototype Pollution

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Prototype Pollution via parseQuery().

    How to fix Prototype Pollution?

    There is no fixed version for org.webjars.bower:urijs.

    [0,)
    • M
    Improper Input Validation

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Improper Input Validation. It mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

    How to fix Improper Input Validation?

    There is no fixed version for org.webjars.bower:urijs.

    [0,)
    • M
    Improper Input Validation

    org.webjars.bower:urijs is a Javascript library for working with URLs.

    Affected versions of this package are vulnerable to Improper Input Validation. The hostname could be spoofed by using a backslash (`)character followed by an at(@)` character.

    How to fix Improper Input Validation?

    There is no fixed version for org.webjars.bower:urijs.

    [0,)