Lookup for vulnerable packages by Package URL.
| Purl | pkg:gem/ember-source@1.10.0a |
|---|
| Type | gem |
|---|
| Namespace | |
|---|
| Name | ember-source |
|---|
| Version | 1.10.0a |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 1.10.1 |
|---|
| Latest_non_vulnerable_version | 2.2.1 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-eafw-zr9e-ryfu |
| vulnerability_id |
VCID-eafw-zr9e-ryfu |
| summary |
Vulnerability With {{view "select"}} Options
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option's label will not be escaped correctly. In applications that use Ember's select view and pass user-supplied content to the label, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-1866
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eafw-zr9e-ryfu |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@1.10.0a |
|---|