Vulnerable JavaScript Library

Location

Notable Vulnerabilities

jQuery-ui Dialog 1.11.4

https://hkairportuat.service-now.com/scripts/includes/js_includes_dashboards_2.jsx?v=12-11-2023_1645...

XSS Vulnerability on closeText option (CVE-2016-7103 281)

jQuery-ui 1.11.0

https://hkairportuat.service-now.com/scripts/sn/concourse/js_includes_concourse.jsx?v=12-11-2023_164...

-          XSS in the `altField` option of the Datepicker widget CVE-2021-41182

-          XSS in the `of` option of the `.position()` util CVE-2021-41184

-          XSS Vulnerability on text options of jQuery UI datepicker CVE-2021-41183

-          XSS when refreshing a checkboxradio with an HTML-like initial text label CVE-2022-31160

jQuery-ui 1.11.4

https://hkairportuat.service-now.com/scripts/includes/js_includes_dashboards_2.jsx?v=12-11-2023_1645...

-          XSS in the `altField` option of the Datepicker widget CVE-2021-41182

-          XSS in the `of` option of the `.position()` util CVE-2021-41184

-          XSS Vulnerability on text options of jQuery UI datepicker CVE-2021-41183

-          XSS when refreshing a checkboxradio with an HTML-like initial text label CVE-2022-31160

Jquery 1.12.3-snc4-legacy

https://hkairportuat.service-now.com/scripts/lib/jquery_includes.jsx?v=12-11-2023_1645&lang=zhc

-          3rd party CORS request may execute 2432 CVE-2015-9251

-          jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

-          jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution CVE-2019-11358 4333

-          passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. CVE-2020-11023

-          - Regex in its jQuery.htmlPrefilter sometimes may introduce XSS CVE-2020-11022

Jquery 2.2.3

https://hkairportuat.service-now.com/scripts/doctype/ js_includes_doctype.jsx? v=12-11-2023_1645&lp=Tue_Dec_12_23_49_01_PST_2023&c=21_256&lang=zhc

-          jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

-          3rd party CORS request may execute 2432 CVE-2015-9251

-          3rd party CORS request may execute 2432 CVE-2015-9251

-          jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution CVE-2019-11358

-          passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. CVE-2020-11023

-          Regex in its jQuery.htmlPrefilter sometimes may introduce XSS CVE-2020-11022

moment.js 2.29.1

https://hkairportuat.service-now.com/scripts/ GlideV2ChartingIncludes.jsx?v=12-11-2023_1645&lang=zhc

https://hkairportuat.service-now.com/scripts/bundles/pa-ui.bundle.js?v=3.0.0

-          A vulnerability that impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785

-          Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129 CVE-2023-22467

React Dom 16.0.0

https://hkairportuat.service-now.com/scripts/bundles/par-multiselect.bundle.js

https://hkairportuat.service-now.com/scripts/ GlideV2ChartingIncludes.jsx?v=12-11-2023_1645&lang=zhc –

https://hkairportuat.service-now.com/scripts/bundles/pa-ui.bundle.js?v=3.0.0

Failing to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios CVE-2018-6341