Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-a5hm-euty-z7g1
Summary
XSS Vulnerability with User-Supplied JSON
By default, Ember will escape any values in Handlebars templates that use double curlies (`{{value}}`). Developers can specifically opt out of this escaping behavior by passing an instance of `SafeString` rather than a raw string, which tells Ember that it should not escape the string because the developer has taken responsibility for escapement. It is possible for an attacker to create a specially-crafted payload that causes a non-sanitized string to be treated as a `SafeString`, and thus bypass Ember's normal escaping behavior. This could allow an attacker to execute arbitrary JavaScript in the context of the current domain ("XSS").
Aliases
0
alias CVE-2015-7565
Fixed_packages
0
url pkg:gem/ember-source@1.11.4
purl pkg:gem/ember-source@1.11.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@1.11.4
1
url pkg:gem/ember-source@1.12.2
purl pkg:gem/ember-source@1.12.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@1.12.2
2
url pkg:gem/ember-source@1.13.12
purl pkg:gem/ember-source@1.13.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@1.13.12
3
url pkg:gem/ember-source@2.0.3
purl pkg:gem/ember-source@2.0.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@2.0.3
4
url pkg:gem/ember-source@2.1.2
purl pkg:gem/ember-source@2.1.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@2.1.2
5
url pkg:gem/ember-source@2.2.1
purl pkg:gem/ember-source@2.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@2.2.1
Affected_packages
0
url pkg:gem/ember-source@1.11.0a
purl pkg:gem/ember-source@1.11.0a
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a5hm-euty-z7g1
1
vulnerability VCID-eafw-zr9e-ryfu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@1.11.0a
1
url pkg:gem/ember-source@1.12.0a
purl pkg:gem/ember-source@1.12.0a
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a5hm-euty-z7g1
1
vulnerability VCID-eafw-zr9e-ryfu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@1.12.0a
2
url pkg:gem/ember-source@1.13.0a
purl pkg:gem/ember-source@1.13.0a
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a5hm-euty-z7g1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@1.13.0a
3
url pkg:gem/ember-source@2.0.0a
purl pkg:gem/ember-source@2.0.0a
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a5hm-euty-z7g1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@2.0.0a
4
url pkg:gem/ember-source@2.1.0a
purl pkg:gem/ember-source@2.1.0a
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a5hm-euty-z7g1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@2.1.0a
5
url pkg:gem/ember-source@2.2.0a
purl pkg:gem/ember-source@2.2.0a
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-a5hm-euty-z7g1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/ember-source@2.2.0a
References
0
reference_url https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 79
name Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-a5hm-euty-z7g1