CVE-2016-10537: Cross-Site Scripting in backbone
(updated )
Affected versions of backbone are vulnerable to cross-site scripting when users are allowed to supply input to the Model#Escape function, and the output is then written to the DOM.
The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take HTML Entities such as < into account.
References
- backbonejs.org/
- github.com/advisories/GHSA-j6p2-cx3w-6jcp
- github.com/jashkenas/backbone
- github.com/jashkenas/backbone/blame/0cdc525961d3fa98e810ffae6bcc8e3838e36d93/backbone.js
- github.com/jashkenas/backbone/commit/0cdc525961d3fa98e810ffae6bcc8e3838e36d93
- github.com/jashkenas/backbone/commit/7ae0384120c2552e1c426cda7fb02fdce6ef1076
- github.com/jashkenas/backbone/compare/0.3.3...0.5.0
- nvd.nist.gov/vuln/detail/CVE-2016-10537
Code Behaviors & Features
Detect and mitigate CVE-2016-10537 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →