diff --git a/angularjs-library-with-known-vulnerabilities.md b/angularjs-library-with-known-vulnerabilities.md index 8cef144..e90675f 100644 --- a/angularjs-library-with-known-vulnerabilities.md +++ b/angularjs-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: AngularJS library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/application-error-message.md b/application-error-message.md index cae7af4..9e30ad5 100644 --- a/application-error-message.md +++ b/application-error-message.md @@ -2,15 +2,15 @@ name: Application error message severity: medium cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-550 cwe-name: Server-generated Error Message Containing Sensitive Information compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.4, A.8.9, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.4, A.8.9, A.8.12, A.8.25 owasp10: A5 pci: 6.5.5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/aspnet-debugging-enabled.md b/aspnet-debugging-enabled.md index 4eb9365..1455fae 100644 --- a/aspnet-debugging-enabled.md +++ b/aspnet-debugging-enabled.md @@ -2,15 +2,15 @@ name: ASP.NET debugging enabled severity: low cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-489 cwe-name: Active Debug Code compliance: HIPAA: 164.306(a), 164.312(a)(1), 164.312(d) - ISO 27001: A.5.33, A.5.34, A.8.4, A.8.9, A.8.12, A.8.15 + ISO 27001: A.5.33, A.5.34, A.8.4, A.8.9, A.8.12, A.8.15, A.8.25 owasp10: A1, A5 pci: 6.5.5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/aspnet-tracing-enabled.md b/aspnet-tracing-enabled.md index 654b091..c0a96e4 100644 --- a/aspnet-tracing-enabled.md +++ b/aspnet-tracing-enabled.md @@ -1,8 +1,8 @@ --- name: ASP.NET tracing enabled severity: high -cvss-score: 9.1 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N +cvss-score: 8.2 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L cwe-id: CWE-11 cwe-name: 'ASP.NET Misconfiguration: Creating Debug Binary' compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.33, A.5.34, A.8.4, A.8.9, A.8.12 owasp10: A5 pci: 6.5.5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/aspnet-viewstate-without-mac.md b/aspnet-viewstate-without-mac.md index ff5369c..5edb36a 100644 --- a/aspnet-viewstate-without-mac.md +++ b/aspnet-viewstate-without-mac.md @@ -1,15 +1,15 @@ --- name: ASP.NET ViewState without MAC -severity: low +severity: medium cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cwe-id: CWE-642 cwe-name: External Control of Critical State Data compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/axios-library-with-known-vulnerabilities.md b/axios-library-with-known-vulnerabilities.md index 2b3478e..06ddcc4 100644 --- a/axios-library-with-known-vulnerabilities.md +++ b/axios-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Axios library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/backbone-library-with-known-vulnerabilities.md b/backbone-library-with-known-vulnerabilities.md index ed04b7f..7e56c5f 100644 --- a/backbone-library-with-known-vulnerabilities.md +++ b/backbone-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Backbone library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/bootstrap-library-with-known-vulnerabilities.md b/bootstrap-library-with-known-vulnerabilities.md index 304744d..f0f89aa 100644 --- a/bootstrap-library-with-known-vulnerabilities.md +++ b/bootstrap-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Bootstrap library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/browser-content-sniffing-allowed.md b/browser-content-sniffing-allowed.md index 1d8e8df..d4915f0 100644 --- a/browser-content-sniffing-allowed.md +++ b/browser-content-sniffing-allowed.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/certificate-with-insufficient-key-size-or-usage-or-insecure-signature-algorithm.md b/certificate-with-insufficient-key-size-or-usage-or-insecure-signature-algorithm.md index 7b94ad0..298707f 100644 --- a/certificate-with-insufficient-key-size-or-usage-or-insecure-signature-algorithm.md +++ b/certificate-with-insufficient-key-size-or-usage-or-insecure-signature-algorithm.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/certificate-without-revocation-information.md b/certificate-without-revocation-information.md index f703161..6600c9e 100644 --- a/certificate-without-revocation-information.md +++ b/certificate-without-revocation-information.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/chartjs-library-with-known-vulnerabilities.md b/chartjs-library-with-known-vulnerabilities.md index 824f705..6bdfed8 100644 --- a/chartjs-library-with-known-vulnerabilities.md +++ b/chartjs-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Chart.js library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/ckeditor-library-with-known-vulnerabilities.md b/ckeditor-library-with-known-vulnerabilities.md index e1c6e19..4c8e968 100644 --- a/ckeditor-library-with-known-vulnerabilities.md +++ b/ckeditor-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: CKEditor library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/cookie-with-samesite-attribute-set-to-none.md b/cookie-with-samesite-attribute-set-to-none.md index 97bde77..2783f1d 100644 --- a/cookie-with-samesite-attribute-set-to-none.md +++ b/cookie-with-samesite-attribute-set-to-none.md @@ -2,15 +2,15 @@ name: Cookie with SameSite attribute set to None severity: low cvss-score: 3.1 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N cwe-id: CWE-1275 cwe-name: Sensitive Cookie with Improper SameSite Attribute compliance: HIPAA: 164.306(a), 164.312(c)(1), 164.312(e)(1) - ISO 27001: A.5.14, A.8.9, A.8.24 + ISO 27001: A.5.14, A.8.9, A.8.24, A.8.25 owasp10: A2, A7 pci: 4.1, 6.5.4, 6.5.10 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/cookie-without-httponly-flag.md b/cookie-without-httponly-flag.md index 0271ba6..d4091d6 100644 --- a/cookie-without-httponly-flag.md +++ b/cookie-without-httponly-flag.md @@ -2,14 +2,15 @@ name: Cookie without HttpOnly flag severity: low cvss-score: 3.1 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N cwe-id: CWE-16 cwe-name: Configuration compliance: HIPAA: 164.306(a) + ISO 27001: A.8.25 owasp10: A7 pci: 6.5.10 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/crlf-injection.md b/crlf-injection.md index 0143cad..fd8c5be 100644 --- a/crlf-injection.md +++ b/crlf-injection.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/cross-origin-resource-sharing-arbitrary-origin-trusted.md b/cross-origin-resource-sharing-arbitrary-origin-trusted.md index da75908..88a5e6d 100644 --- a/cross-origin-resource-sharing-arbitrary-origin-trusted.md +++ b/cross-origin-resource-sharing-arbitrary-origin-trusted.md @@ -2,15 +2,15 @@ name: 'Cross Origin Resource Sharing: Arbitrary Origin Trusted' severity: low cvss-score: 6.1 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cwe-id: CWE-942 cwe-name: Permission Cross-Domain Policy with Untrusted Domains compliance: HIPAA: 164.306(a), 164.312(a)(1), 164.312(d) - ISO 27001: A.8.2, A.8.3 + ISO 27001: A.8.2, A.8.3, A.8.25 owasp10: A1 pci: 6.5.8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/deprecated-tls-protocol-version-10-supported.md b/deprecated-tls-protocol-version-10-supported.md index aff4ea0..73f5cf0 100644 --- a/deprecated-tls-protocol-version-10-supported.md +++ b/deprecated-tls-protocol-version-10-supported.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/deprecated-tls-protocol-version-11-supported.md b/deprecated-tls-protocol-version-11-supported.md index 32b7548..e82f885 100644 --- a/deprecated-tls-protocol-version-11-supported.md +++ b/deprecated-tls-protocol-version-11-supported.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/directory-listing.md b/directory-listing.md index e534327..f039689 100644 --- a/directory-listing.md +++ b/directory-listing.md @@ -2,14 +2,14 @@ name: Directory Listing severity: low cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-548 cwe-name: Exposure of Information Through Directory Listing compliance: HIPAA: 164.306(a), 164.312(a)(1), 164.312(d) ISO 27001: A.8.4, A.8.9 owasp10: A1, A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/dojo-library-with-known-vulnerabilities.md b/dojo-library-with-known-vulnerabilities.md index 0fc1bd0..95a083c 100644 --- a/dojo-library-with-known-vulnerabilities.md +++ b/dojo-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Dojo library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/dompurify-library-with-known-vulnerabilities.md b/dompurify-library-with-known-vulnerabilities.md index 86ea503..e01b485 100644 --- a/dompurify-library-with-known-vulnerabilities.md +++ b/dompurify-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: DOMPurify library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/drupal-version-with-known-vulnerabilities.md b/drupal-version-with-known-vulnerabilities.md index 2e18200..4a24986 100644 --- a/drupal-version-with-known-vulnerabilities.md +++ b/drupal-version-with-known-vulnerabilities.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/dwr-library-with-known-vulnerabilities.md b/dwr-library-with-known-vulnerabilities.md index 87d4944..f803816 100644 --- a/dwr-library-with-known-vulnerabilities.md +++ b/dwr-library-with-known-vulnerabilities.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/easyxdm-library-with-known-vulnerabilities.md b/easyxdm-library-with-known-vulnerabilities.md index 057d553..d903c9a 100644 --- a/easyxdm-library-with-known-vulnerabilities.md +++ b/easyxdm-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: easyXDM library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/ember-library-with-known-vulnerabilities.md b/ember-library-with-known-vulnerabilities.md index bc41b82..f33d20f 100644 --- a/ember-library-with-known-vulnerabilities.md +++ b/ember-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Ember library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/expired-tls-certificate.md b/expired-tls-certificate.md index 4008bac..3761740 100644 --- a/expired-tls-certificate.md +++ b/expired-tls-certificate.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/ext-js-library-with-known-vulnerabilities.md b/ext-js-library-with-known-vulnerabilities.md new file mode 100644 index 0000000..cf9c311 --- /dev/null +++ b/ext-js-library-with-known-vulnerabilities.md @@ -0,0 +1,28 @@ +--- +name: Ext JS library with known vulnerabilities +severity: low +cvss-score: 4.8 +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cwe-id: CWE-1035 +cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 + +--- + +The application uses an outdated version of the Ext JS library, which has known vulnerabilities. + +## How to fix + +{% tabs ext-js-library-with-known-vulnerabilities %} +{% tab ext-js-library-with-known-vulnerabilities generic %} +To fix this issue, please update Ext JS to the latest available version on its official website. + +Do not forget to update all the Ext JS files you have on the server. +{% endtab %} + +{% endtabs %} diff --git a/flowplayer-library-with-known-vulnerabilities.md b/flowplayer-library-with-known-vulnerabilities.md index 3c9179b..6eb44df 100644 --- a/flowplayer-library-with-known-vulnerabilities.md +++ b/flowplayer-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Flowplayer library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/froala-library-with-known-vulnerabilities.md b/froala-library-with-known-vulnerabilities.md index a094671..b3e163a 100644 --- a/froala-library-with-known-vulnerabilities.md +++ b/froala-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Froala library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/full-path-disclosure.md b/full-path-disclosure.md index 16e1db2..b92ab71 100644 --- a/full-path-disclosure.md +++ b/full-path-disclosure.md @@ -2,14 +2,14 @@ name: Full path disclosure severity: low cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-200 cwe-name: Exposure of Sensitive Information to an Unauthorized Actor compliance: HIPAA: 164.306(a) ISO 27001: A.8.4, A.8.9 pci: 6.5.5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/graphql-introspection-enabled.md b/graphql-introspection-enabled.md index 5ae5090..620ff2a 100644 --- a/graphql-introspection-enabled.md +++ b/graphql-introspection-enabled.md @@ -2,14 +2,14 @@ name: GraphQL Introspection enabled severity: low cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N -cwe-id: '200' +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cwe-id: CWE-200 cwe-name: Information Exposure compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/graphql-misconfiguration.md b/graphql-misconfiguration.md index fe2634c..cd5fa73 100644 --- a/graphql-misconfiguration.md +++ b/graphql-misconfiguration.md @@ -2,14 +2,14 @@ name: GraphQL Misconfiguration severity: low cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-200 cwe-name: Information Exposure compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/handlebars-library-with-known-vulnerabilities.md b/handlebars-library-with-known-vulnerabilities.md index 6fddcef..b6cfda0 100644 --- a/handlebars-library-with-known-vulnerabilities.md +++ b/handlebars-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Handlebars library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/heartbleed.md b/heartbleed.md index 74f7297..6fcd678 100644 --- a/heartbleed.md +++ b/heartbleed.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.5.33, A.5.34, A.8.3, A.8.9, A.8.12 owasp10: A6 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/hidden-file-found.md b/hidden-file-found.md index 78b6970..c71d7f8 100644 --- a/hidden-file-found.md +++ b/hidden-file-found.md @@ -1,15 +1,15 @@ --- name: Hidden file found -severity: low +severity: medium cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-538 cwe-name: File and Directory Information Exposure compliance: HIPAA: 164.306(a), 164.312(a)(1), 164.312(d) - ISO 27001: A.8.4, A.8.9, A.8.15 + ISO 27001: A.8.4, A.8.9, A.8.15, A.8.25 owasp10: A1, A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/highcharts-library-with-known-vulnerabilities.md b/highcharts-library-with-known-vulnerabilities.md index eeca262..b9469c7 100644 --- a/highcharts-library-with-known-vulnerabilities.md +++ b/highcharts-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Highcharts library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/hsts-header-does-not-protect-subdomains.md b/hsts-header-does-not-protect-subdomains.md index c585aff..bbbe4ce 100644 --- a/hsts-header-does-not-protect-subdomains.md +++ b/hsts-header-does-not-protect-subdomains.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2, A5 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/hsts-header-not-enforced.md b/hsts-header-not-enforced.md index 783c602..416994a 100644 --- a/hsts-header-not-enforced.md +++ b/hsts-header-not-enforced.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2, A5 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/hsts-header-set-in-http.md b/hsts-header-set-in-http.md index c8a3667..66c058a 100644 --- a/hsts-header-set-in-http.md +++ b/hsts-header-set-in-http.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2, A5 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/hsts-header-with-low-duration-and-no-subdomain-protection.md b/hsts-header-with-low-duration-and-no-subdomain-protection.md index 05e41ab..4c13196 100644 --- a/hsts-header-with-low-duration-and-no-subdomain-protection.md +++ b/hsts-header-with-low-duration-and-no-subdomain-protection.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2, A5 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/hsts-header-with-low-duration.md b/hsts-header-with-low-duration.md index 1f662f8..0c63d3a 100644 --- a/hsts-header-with-low-duration.md +++ b/hsts-header-with-low-duration.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2, A5 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/http-trace-method-enabled.md b/http-trace-method-enabled.md index adeb7d3..b232c09 100644 --- a/http-trace-method-enabled.md +++ b/http-trace-method-enabled.md @@ -2,14 +2,14 @@ name: HTTP TRACE method enabled severity: low cvss-score: 3.7 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-16 cwe-name: Configuration compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/inclusion-of-cryptocurrency-mining-script.md b/inclusion-of-cryptocurrency-mining-script.md index 62628a5..def5584 100644 --- a/inclusion-of-cryptocurrency-mining-script.md +++ b/inclusion-of-cryptocurrency-mining-script.md @@ -1,14 +1,14 @@ --- name: Inclusion of cryptocurrency mining script severity: high -cvss-score: 5.5 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L +cvss-score: 7.1 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L cwe-id: CWE-830 cwe-name: Inclusion of Web Functionality from an Untrusted Source compliance: HIPAA: 164.306(a), 164.312(c)(1) owasp10: A8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/insecure-browser-xss-protection-enabled.md b/insecure-browser-xss-protection-enabled.md index 75d3927..ab18e75 100644 --- a/insecure-browser-xss-protection-enabled.md +++ b/insecure-browser-xss-protection-enabled.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/insecure-content-security-policy.md b/insecure-content-security-policy.md index 790a167..1ca1c4e 100644 --- a/insecure-content-security-policy.md +++ b/insecure-content-security-policy.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/insecure-crossdomainxml-policy.md b/insecure-crossdomainxml-policy.md index 03cc101..96858f5 100644 --- a/insecure-crossdomainxml-policy.md +++ b/insecure-crossdomainxml-policy.md @@ -1,15 +1,15 @@ --- name: Insecure crossdomain.xml policy -severity: low -cvss-score: 6.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N +severity: high +cvss-score: 8.2 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N cwe-id: CWE-942 cwe-name: Permissive Cross-domain Policy with Untrusted Domains compliance: HIPAA: 164.306(a) - ISO 27001: A.8.2, A.8.3, A.8.9 + ISO 27001: A.8.2, A.8.3, A.8.9, A.8.25 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/insecure-php-object-deserialization.md b/insecure-php-object-deserialization.md index aadcc25..968691c 100644 --- a/insecure-php-object-deserialization.md +++ b/insecure-php-object-deserialization.md @@ -1,14 +1,15 @@ --- name: Insecure PHP Object deserialization severity: high -cvss-score: 6.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-score: 7.3 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L cwe-id: CWE-502 cwe-name: Deserialization of Untrusted Data compliance: HIPAA: 164.306(a), 164.312(c)(1) + ISO 27001: A.8.25 owasp10: A8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/insecure-referrer-policy.md b/insecure-referrer-policy.md index d1de3ae..a0a9259 100644 --- a/insecure-referrer-policy.md +++ b/insecure-referrer-policy.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A2, A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/insecure-silverlight-clientaccesspolicyxml-policy.md b/insecure-silverlight-clientaccesspolicyxml-policy.md index 3c3ec74..7a2dcbf 100644 --- a/insecure-silverlight-clientaccesspolicyxml-policy.md +++ b/insecure-silverlight-clientaccesspolicyxml-policy.md @@ -1,15 +1,15 @@ --- name: Insecure Silverlight clientaccesspolicy.xml policy severity: high -cvss-score: 6.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-score: 8.2 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N cwe-id: CWE-942 cwe-name: Permissive Cross-domain Policy with Untrusted Domains compliance: HIPAA: 164.306(a) ISO 27001: A.8.2, A.8.3, A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/insecure-ssl-protocol-version-2-supported.md b/insecure-ssl-protocol-version-2-supported.md index 21a3e89..8c2ca64 100644 --- a/insecure-ssl-protocol-version-2-supported.md +++ b/insecure-ssl-protocol-version-2-supported.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/insecure-ssl-protocol-version-3-supported.md b/insecure-ssl-protocol-version-3-supported.md index 8eb7bca..e54995a 100644 --- a/insecure-ssl-protocol-version-3-supported.md +++ b/insecure-ssl-protocol-version-3-supported.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/invalid-referrer-policy.md b/invalid-referrer-policy.md index 7911334..8edd028 100644 --- a/invalid-referrer-policy.md +++ b/invalid-referrer-policy.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A2, A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/joomla-version-with-known-vulnerabilities.md b/joomla-version-with-known-vulnerabilities.md index 9f03d9b..fa5c4d3 100644 --- a/joomla-version-with-known-vulnerabilities.md +++ b/joomla-version-with-known-vulnerabilities.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/jplayer-library-with-known-vulnerabilities.md b/jplayer-library-with-known-vulnerabilities.md index 553d5d3..e84b748 100644 --- a/jplayer-library-with-known-vulnerabilities.md +++ b/jplayer-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: jPlayer library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/jquery-file-upload-library-with-known-vulnerabilities.md b/jquery-file-upload-library-with-known-vulnerabilities.md new file mode 100644 index 0000000..6a7f2cb --- /dev/null +++ b/jquery-file-upload-library-with-known-vulnerabilities.md @@ -0,0 +1,28 @@ +--- +name: jQuery File Upload library with known vulnerabilities +severity: low +cvss-score: 4.8 +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cwe-id: CWE-1035 +cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 + +--- + +The application uses an outdated version of the jQuery File Upload library, which has known vulnerabilities. + +## How to fix + +{% tabs jquery-file-upload-library-with-known-vulnerabilities %} +{% tab jquery-file-upload-library-with-known-vulnerabilities generic %} +To fix this issue, please update jQuery File Upload to the latest available version on its official website. + +Do not forget to update all the jQuery File Upload files you have on the server. +{% endtab %} + +{% endtabs %} diff --git a/jquery-library-with-known-vulnerabilities.md b/jquery-library-with-known-vulnerabilities.md index b4e5d56..a03552f 100644 --- a/jquery-library-with-known-vulnerabilities.md +++ b/jquery-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: JQuery library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/jquery-migrate-library-with-known-vulnerabilities.md b/jquery-migrate-library-with-known-vulnerabilities.md index 591a8f9..c2000b8 100644 --- a/jquery-migrate-library-with-known-vulnerabilities.md +++ b/jquery-migrate-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: JQuery Migrate library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/jquery-mobile-library-with-known-vulnerabilities.md b/jquery-mobile-library-with-known-vulnerabilities.md index b016e4c..bdccb5b 100644 --- a/jquery-mobile-library-with-known-vulnerabilities.md +++ b/jquery-mobile-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: JQuery Mobile library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/jquery-ui-library-with-known-vulnerabilities.md b/jquery-ui-library-with-known-vulnerabilities.md index dc7a0e7..ef925dc 100644 --- a/jquery-ui-library-with-known-vulnerabilities.md +++ b/jquery-ui-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: jQuery UI library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/jszip-library-with-known-vulnerabilities.md b/jszip-library-with-known-vulnerabilities.md index 52e5683..4365b7c 100644 --- a/jszip-library-with-known-vulnerabilities.md +++ b/jszip-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: JSZip library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/jwt-accepting-none-algorithm.md b/jwt-accepting-none-algorithm.md index bf06bf9..e12b379 100644 --- a/jwt-accepting-none-algorithm.md +++ b/jwt-accepting-none-algorithm.md @@ -2,14 +2,14 @@ name: JWT accepting none algorithm severity: high cvss-score: 7.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cwe-id: CWE-345 cwe-name: Insufficient Verification of Data Authenticity compliance: HIPAA: 164.306(a), 164.312(c)(1) - ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24 + ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24, A.8.25 owasp10: A8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/jwt-algorithm-confusion.md b/jwt-algorithm-confusion.md index ba5a908..52d6284 100644 --- a/jwt-algorithm-confusion.md +++ b/jwt-algorithm-confusion.md @@ -2,14 +2,14 @@ name: JWT algorithm confusion severity: high cvss-score: 7.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cwe-id: CWE-345 cwe-name: Insufficient Verification of Data Authenticity compliance: HIPAA: 164.306(a), 164.312(c)(1) - ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24 + ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24, A.8.25 owasp10: A8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/jwt-signature-is-not-being-verified.md b/jwt-signature-is-not-being-verified.md index d0642fe..d14f4ca 100644 --- a/jwt-signature-is-not-being-verified.md +++ b/jwt-signature-is-not-being-verified.md @@ -2,14 +2,14 @@ name: JWT signature is not being verified severity: high cvss-score: 7.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cwe-id: CWE-345 cwe-name: Insufficient Verification of Data Authenticity compliance: HIPAA: 164.306(a), 164.312(c)(1) - ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24 + ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24, A.8.25 owasp10: A8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/knockout-library-with-known-vulnerabilities.md b/knockout-library-with-known-vulnerabilities.md index 3f76b71..f3527ba 100644 --- a/knockout-library-with-known-vulnerabilities.md +++ b/knockout-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Knockout library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/lodash-library-with-known-vulnerabilities.md b/lodash-library-with-known-vulnerabilities.md new file mode 100644 index 0000000..a4dce98 --- /dev/null +++ b/lodash-library-with-known-vulnerabilities.md @@ -0,0 +1,28 @@ +--- +name: Lodash library with known vulnerabilities +severity: low +cvss-score: 4.8 +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cwe-id: CWE-1035 +cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 + +--- + +The application uses an outdated version of the Lodash library, which has known vulnerabilities. + +## How to fix + +{% tabs lodash-library-with-known-vulnerabilities %} +{% tab lodash-library-with-known-vulnerabilities generic %} +To fix this issue, please update Lodash to the latest available version on its official website. + +Do not forget to update all the Lodash files you have on the server. +{% endtab %} + +{% endtabs %} diff --git a/log-file-disclosure.md b/log-file-disclosure.md index 2a404a8..3d732d5 100644 --- a/log-file-disclosure.md +++ b/log-file-disclosure.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9, A.8.15 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/log4shell.md b/log4shell.md index 597008a..15cdbb7 100644 --- a/log4shell.md +++ b/log4shell.md @@ -1,6 +1,6 @@ --- name: Log4Shell -severity: high +severity: critical cvss-score: 10.0 cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cwe-id: CWE-917 @@ -11,7 +11,7 @@ compliance: ISO 27001: A.5.33, A.5.34, A.8.3, A.8.9, A.8.12 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/mathjax-library-with-known-vulnerabilities.md b/mathjax-library-with-known-vulnerabilities.md new file mode 100644 index 0000000..f688310 --- /dev/null +++ b/mathjax-library-with-known-vulnerabilities.md @@ -0,0 +1,28 @@ +--- +name: MathJax library with known vulnerabilities +severity: low +cvss-score: 4.8 +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cwe-id: CWE-1035 +cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 + +--- + +The application uses an outdated version of the MathJax library, which has known vulnerabilities. + +## How to fix + +{% tabs mathjax-library-with-known-vulnerabilities %} +{% tab mathjax-library-with-known-vulnerabilities generic %} +To fix this issue, please update MathJax to the latest available version on its official website. + +Do not forget to update all the MathJax files you have on the server. +{% endtab %} + +{% endtabs %} diff --git a/missing-clickjacking-protection.md b/missing-clickjacking-protection.md index b9df178..3f12df3 100644 --- a/missing-clickjacking-protection.md +++ b/missing-clickjacking-protection.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/missing-content-security-policy-header.md b/missing-content-security-policy-header.md index 130b33e..d6b46ab 100644 --- a/missing-content-security-policy-header.md +++ b/missing-content-security-policy-header.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/missing-cross-site-request-forgery-protection.md b/missing-cross-site-request-forgery-protection.md index 202bf92..dd1716f 100644 --- a/missing-cross-site-request-forgery-protection.md +++ b/missing-cross-site-request-forgery-protection.md @@ -1,16 +1,16 @@ --- name: Missing cross-site request forgery protection -severity: low +severity: medium cvss-score: 6.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N cwe-id: CWE-352 cwe-name: Cross-Site Request Forgery (CSRF) compliance: HIPAA: 164.306(a) - ISO 27001: A.8.2, A.8.3 + ISO 27001: A.8.2, A.8.3, A.8.25 owasp10: A7 pci: 6.5.9, 6.5.10 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/mixed-content.md b/mixed-content.md index daa0eba..26c98d2 100644 --- a/mixed-content.md +++ b/mixed-content.md @@ -1,16 +1,16 @@ --- name: Mixed content -severity: low -cvss-score: 6.5 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N +severity: medium +cvss-score: 5.9 +cvss-vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N cwe-id: CWE-319 cwe-name: Cleartext Transmission of Sensitive Information compliance: HIPAA: 164.306(a), 164.312(c)(1), 164.312(e)(1) - ISO 27001: A.5.14, A.8.24 + ISO 27001: A.5.14, A.8.24, A.8.25 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/momentjs-library-with-known-vulnerabilities.md b/momentjs-library-with-known-vulnerabilities.md index b779ca9..be6fb6b 100644 --- a/momentjs-library-with-known-vulnerabilities.md +++ b/momentjs-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Moment.js library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/mongodb-injection.md b/mongodb-injection.md index 4a0bef6..624eef7 100644 --- a/mongodb-injection.md +++ b/mongodb-injection.md @@ -3,14 +3,14 @@ name: MongoDB Injection severity: high cvss-score: 7.5 cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N -cwe-id: '943' +cwe-id: CWE-943 cwe-name: Improper Neutralization of Special Elements in Data Query Logic compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/mustache-library-with-known-vulnerabilities.md b/mustache-library-with-known-vulnerabilities.md index c276892..c9f8756 100644 --- a/mustache-library-with-known-vulnerabilities.md +++ b/mustache-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Mustache library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/nextjs-library-with-known-vulnerabilities.md b/nextjs-library-with-known-vulnerabilities.md index b04c6f8..95c270f 100644 --- a/nextjs-library-with-known-vulnerabilities.md +++ b/nextjs-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Next.js library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/open-redirection.md b/open-redirection.md index 9841f10..60563db 100644 --- a/open-redirection.md +++ b/open-redirection.md @@ -1,13 +1,14 @@ --- name: Open redirection -severity: low +severity: medium cvss-score: 8.2 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N cwe-id: CWE-601 cwe-name: URL Redirection to Untrusted Site ('Open Redirect') compliance: HIPAA: 164.306(a) - PCI v4.0: pci4-6.2.4 + ISO 27001: A.8.25 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/os-command-injection.md b/os-command-injection.md index 48ea3fd..4efc7f9 100644 --- a/os-command-injection.md +++ b/os-command-injection.md @@ -1,16 +1,16 @@ --- name: OS command injection -severity: high +severity: critical cvss-score: 9.8 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cwe-id: CWE-77 cwe-name: Command Injection compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/path-traversal.md b/path-traversal.md index d460c80..4717601 100644 --- a/path-traversal.md +++ b/path-traversal.md @@ -2,15 +2,15 @@ name: Path traversal severity: high cvss-score: 7.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cwe-id: CWE-22 cwe-name: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') compliance: HIPAA: 164.306(a), 164.312(a)(1), 164.312(d) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.4, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.4, A.8.12, A.8.25 owasp10: A1 pci: 6.5.8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/pdfjs-library-with-known-vulnerabilities.md b/pdfjs-library-with-known-vulnerabilities.md new file mode 100644 index 0000000..3954808 --- /dev/null +++ b/pdfjs-library-with-known-vulnerabilities.md @@ -0,0 +1,28 @@ +--- +name: PDF.js library with known vulnerabilities +severity: low +cvss-score: 4.8 +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cwe-id: CWE-1035 +cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 + +--- + +The application uses an outdated version of the PDF.js library, which has known vulnerabilities. + +## How to fix + +{% tabs pdfjs-library-with-known-vulnerabilities %} +{% tab pdfjs-library-with-known-vulnerabilities generic %} +To fix this issue, please update PDF.js to the latest available version on its official website. + +Do not forget to update all the PDF.js files you have on the server. +{% endtab %} + +{% endtabs %} diff --git a/php-code-injection.md b/php-code-injection.md index 9106b58..cae26b2 100644 --- a/php-code-injection.md +++ b/php-code-injection.md @@ -1,16 +1,16 @@ --- name: PHP code injection -severity: high -cvss-score: 8.6 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L +severity: critical +cvss-score: 9.8 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cwe-id: CWE-94 cwe-name: Improper Control of Generation of Code ('Code Injection') compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/plupload-library-with-known-vulnerabilities.md b/plupload-library-with-known-vulnerabilities.md index 2611b74..081c18a 100644 --- a/plupload-library-with-known-vulnerabilities.md +++ b/plupload-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Plupload library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/potential-dos-on-tls-client-renegotiation.md b/potential-dos-on-tls-client-renegotiation.md index 6320bb0..62df79c 100644 --- a/potential-dos-on-tls-client-renegotiation.md +++ b/potential-dos-on-tls-client-renegotiation.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/prettyphoto-library-with-known-vulnerabilities.md b/prettyphoto-library-with-known-vulnerabilities.md index 71ec9a7..d440802 100644 --- a/prettyphoto-library-with-known-vulnerabilities.md +++ b/prettyphoto-library-with-known-vulnerabilities.md @@ -2,14 +2,14 @@ name: prettyPhoto library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A5, A6 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/private-ip-addresses-disclosed.md b/private-ip-addresses-disclosed.md index 8277c15..d5ce0aa 100644 --- a/private-ip-addresses-disclosed.md +++ b/private-ip-addresses-disclosed.md @@ -2,14 +2,14 @@ name: Private IP addresses disclosed severity: low cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-200 cwe-name: Exposure of Sensitive Information to an Unauthorized Actor compliance: HIPAA: 164.306(a), 164.312(a)(1), 164.312(d) ISO 27001: A.5.33, A.8.4, A.8.9, A.8.12 owasp10: A1, A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/prototype-library-with-known-vulnerabilities.md b/prototype-library-with-known-vulnerabilities.md index 955026f..8b3b0a8 100644 --- a/prototype-library-with-known-vulnerabilities.md +++ b/prototype-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Prototype library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/python-code-injection.md b/python-code-injection.md index 69202ac..d098a3a 100644 --- a/python-code-injection.md +++ b/python-code-injection.md @@ -1,16 +1,16 @@ --- name: Python code injection -severity: high -cvss-score: 8.6 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L +severity: critical +cvss-score: 9.8 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cwe-id: CWE-94 cwe-name: Improper Control of Generation of Code ('Code Injection') compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/react-library-with-known-vulnerabilities.md b/react-library-with-known-vulnerabilities.md index 21ead76..93a48a8 100644 --- a/react-library-with-known-vulnerabilities.md +++ b/react-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: React library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/referrer-policy-not-defined.md b/referrer-policy-not-defined.md index 41a4ec9..aa7ecb0 100644 --- a/referrer-policy-not-defined.md +++ b/referrer-policy-not-defined.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A2, A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/reflected-cross-site-scripting.md b/reflected-cross-site-scripting.md index df1ba51..b3413fa 100644 --- a/reflected-cross-site-scripting.md +++ b/reflected-cross-site-scripting.md @@ -1,16 +1,17 @@ --- name: Reflected cross-site scripting severity: high -cvss-score: 6.1 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +cvss-score: 8.2 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N cwe-id: CWE-79 cwe-name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') compliance: HIPAA: 164.306(a) + ISO 27001: A.8.25 owasp10: A3 pci: 6.5.7 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/remote-file-inclusion.md b/remote-file-inclusion.md index 50c2055..c8045d2 100644 --- a/remote-file-inclusion.md +++ b/remote-file-inclusion.md @@ -1,15 +1,15 @@ --- name: Remote File Inclusion severity: high -cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N -cwe-id: '98' +cvss-score: 7.5 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +cwe-id: CWE-98 cwe-name: Improper Control of Filename for Include/Require Statement in PHP Program compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.4, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.4, A.8.12, A.8.25 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/ruby-code-injection.md b/ruby-code-injection.md index c6721e7..a062d2e 100644 --- a/ruby-code-injection.md +++ b/ruby-code-injection.md @@ -1,16 +1,16 @@ --- name: Ruby code injection -severity: high -cvss-score: 7.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L +severity: critical +cvss-score: 9.8 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cwe-id: CWE-94 cwe-name: Improper Control of Generation of Code ('Code Injection') compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/secure-renegotiation-is-not-supported.md b/secure-renegotiation-is-not-supported.md index c523554..84066b9 100644 --- a/secure-renegotiation-is-not-supported.md +++ b/secure-renegotiation-is-not-supported.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/secure-tls-protocol-version-12-not-supported.md b/secure-tls-protocol-version-12-not-supported.md index 84cae40..9886c3e 100644 --- a/secure-tls-protocol-version-12-not-supported.md +++ b/secure-tls-protocol-version-12-not-supported.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/select2-library-with-known-vulnerabilities.md b/select2-library-with-known-vulnerabilities.md new file mode 100644 index 0000000..f7929f1 --- /dev/null +++ b/select2-library-with-known-vulnerabilities.md @@ -0,0 +1,28 @@ +--- +name: Select2 library with known vulnerabilities +severity: low +cvss-score: 4.8 +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cwe-id: CWE-1035 +cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 + +--- + +The application uses an outdated version of the Select2 library, which has known vulnerabilities. + +## How to fix + +{% tabs select2-library-with-known-vulnerabilities %} +{% tab select2-library-with-known-vulnerabilities generic %} +To fix this issue, please update Select2 to the latest available version on its official website. + +Do not forget to update all the Select2 files you have on the server. +{% endtab %} + +{% endtabs %} diff --git a/server-cipher-order-not-configured.md b/server-cipher-order-not-configured.md index 8841682..360bf21 100644 --- a/server-cipher-order-not-configured.md +++ b/server-cipher-order-not-configured.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/server-side-javascript-injection.md b/server-side-javascript-injection.md index 3f01625..6a46125 100644 --- a/server-side-javascript-injection.md +++ b/server-side-javascript-injection.md @@ -1,16 +1,16 @@ --- name: Server-side JavaScript injection -severity: high -cvss-score: 7.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L +severity: critical +cvss-score: 9.8 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cwe-id: CWE-94 cwe-name: Improper Control of Generation of Code ('Code Injection') compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/server-side-request-forgery.md b/server-side-request-forgery.md index 9620c53..618cf76 100644 --- a/server-side-request-forgery.md +++ b/server-side-request-forgery.md @@ -1,16 +1,16 @@ --- name: Server-side request forgery -severity: high +severity: medium cvss-score: 4.8 cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L cwe-id: CWE-918 cwe-name: Server-Side Request Forgery (SSRF) compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.4, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.4, A.8.12, A.8.25 owasp10: A10 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/server-side-template-injection.md b/server-side-template-injection.md index 65621ed..0ab885c 100644 --- a/server-side-template-injection.md +++ b/server-side-template-injection.md @@ -1,16 +1,16 @@ --- name: Server-side template injection severity: high -cvss-score: 5.3 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N +cvss-score: 8.6 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L cwe-id: CWE-94 cwe-name: Improper Control of Generation of Code ('Code Injection') compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/session-token-in-url.md b/session-token-in-url.md index b5a435f..669dcf1 100644 --- a/session-token-in-url.md +++ b/session-token-in-url.md @@ -2,15 +2,15 @@ name: Session Token in URL severity: medium cvss-score: 5.9 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N cwe-id: CWE-200 cwe-name: Exposure of Sensitive Information to an Unauthorized Actor compliance: HIPAA: 164.306(a) - ISO 27001: A.8.2, A.8.3 + ISO 27001: A.8.2, A.8.3, A.8.25 owasp10: A2, A7 pci: 6.5.10 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/sessvars-library-with-known-vulnerabilities.md b/sessvars-library-with-known-vulnerabilities.md index b47158a..0ec0d3b 100644 --- a/sessvars-library-with-known-vulnerabilities.md +++ b/sessvars-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Sessvars library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/spring-cloud-spel-code-injection-cve-2022-22963.md b/spring-cloud-spel-code-injection-cve-2022-22963.md index 9709d24..5e0f511 100644 --- a/spring-cloud-spel-code-injection-cve-2022-22963.md +++ b/spring-cloud-spel-code-injection-cve-2022-22963.md @@ -1,14 +1,14 @@ --- name: Spring Cloud SPEL Code Injection (CVE-2022-22963) -severity: high +severity: critical cvss-score: 9.0 cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H -cwe-id: '94' +cwe-id: CWE-94 cwe-name: Improper Control of Generation of Code ('Code Injection') compliance: HIPAA: 164.306(a) ISO 27001: A.5.33, A.5.34, A.8.3, A.8.9, A.8.12 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/spring4shell.md b/spring4shell.md index e497a29..f8f579d 100644 --- a/spring4shell.md +++ b/spring4shell.md @@ -1,6 +1,6 @@ --- name: Spring4Shell -severity: high +severity: critical cvss-score: 10.0 cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cwe-id: CWE-94 @@ -8,7 +8,7 @@ cwe-name: Improper Control of Generation of Code ('Code Injection') compliance: HIPAA: 164.306(a) ISO 27001: A.5.33, A.5.34, A.8.3, A.8.9, A.8.12 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/sql-injection.md b/sql-injection.md index 44b5d01..e126d0a 100644 --- a/sql-injection.md +++ b/sql-injection.md @@ -1,16 +1,16 @@ --- name: SQL Injection -severity: high -cvss-score: 8.6 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N +severity: critical +cvss-score: 9.3 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cwe-id: CWE-89 cwe-name: SQL Injection compliance: HIPAA: 164.306(a) - ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12 + ISO 27001: A.5.33, A.5.34, A.8.3, A.8.12, A.8.25 owasp10: A3 pci: 6.5.1 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/ssl-cookie-without-secure-flag.md b/ssl-cookie-without-secure-flag.md index 0fd057c..1d9acee 100644 --- a/ssl-cookie-without-secure-flag.md +++ b/ssl-cookie-without-secure-flag.md @@ -1,15 +1,16 @@ --- name: SSL cookie without Secure flag -severity: low -cvss-score: 3.1 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N +severity: medium +cvss-score: 5.3 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cwe-id: CWE-614 cwe-name: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute compliance: HIPAA: 164.306(a) + ISO 27001: A.8.25 owasp10: A2, A7 pci: 6.5.10 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/stored-cross-site-scripting.md b/stored-cross-site-scripting.md index d95ad2c..57cc1cb 100644 --- a/stored-cross-site-scripting.md +++ b/stored-cross-site-scripting.md @@ -1,16 +1,17 @@ --- name: Stored cross-site scripting severity: high -cvss-score: 6.1 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +cvss-score: 8.2 +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N cwe-id: CWE-79 cwe-name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') compliance: HIPAA: 164.306(a) + ISO 27001: A.8.25 owasp10: A3 pci: 6.5.7 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/supply-chain-compromise.md b/supply-chain-compromise.md index 4a6c0df..cc864d9 100644 --- a/supply-chain-compromise.md +++ b/supply-chain-compromise.md @@ -5,7 +5,12 @@ cvss-score: 7.2 cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L cwe-id: CWE-1395 cwe-name: Dependency on Vulnerable Third-Party Component -compliance: {} +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/svelte-library-with-known-vulnerabilities.md b/svelte-library-with-known-vulnerabilities.md index 1b786bb..29adca0 100644 --- a/svelte-library-with-known-vulnerabilities.md +++ b/svelte-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Svelte library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/swfobject-library-with-known-vulnerabilities.md b/swfobject-library-with-known-vulnerabilities.md index 2668d1a..76af4ef 100644 --- a/swfobject-library-with-known-vulnerabilities.md +++ b/swfobject-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: SWFObject library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/tinymce-library-with-known-vulnerabilities.md b/tinymce-library-with-known-vulnerabilities.md index f7aba5b..ea07d84 100644 --- a/tinymce-library-with-known-vulnerabilities.md +++ b/tinymce-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: TinyMCE library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/tls-certificate-about-to-expire.md b/tls-certificate-about-to-expire.md index 11a6847..a0e87fd 100644 --- a/tls-certificate-about-to-expire.md +++ b/tls-certificate-about-to-expire.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) ISO 27001: A.8.9 owasp10: A2 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/tls-downgrade-attack-prevention-not-supported.md b/tls-downgrade-attack-prevention-not-supported.md index 7812b30..98ac198 100644 --- a/tls-downgrade-attack-prevention-not-supported.md +++ b/tls-downgrade-attack-prevention-not-supported.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/uaparserjs-library-with-known-vulnerabilities.md b/uaparserjs-library-with-known-vulnerabilities.md new file mode 100644 index 0000000..f2e7ce9 --- /dev/null +++ b/uaparserjs-library-with-known-vulnerabilities.md @@ -0,0 +1,28 @@ +--- +name: UAParser.js library with known vulnerabilities +severity: low +cvss-score: 4.8 +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cwe-id: CWE-1035 +cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities +compliance: + HIPAA: 164.306(a) + ISO 27001: A.8.9 + owasp10: A5, A6 + pci: '6.2' + PCI-DSS v4.0.1: 6.2.4, 6.3.3 + +--- + +The application uses an outdated version of the UAParser.js library, which has known vulnerabilities. + +## How to fix + +{% tabs uaparserjs-library-with-known-vulnerabilities %} +{% tab uaparserjs-library-with-known-vulnerabilities generic %} +To fix this issue, please update UAParser.js to the latest available version on its official website. + +Do not forget to update all the UAParser.js files you have on the server. +{% endtab %} + +{% endtabs %} diff --git a/underscorejs-library-with-known-vulnerabilities.md b/underscorejs-library-with-known-vulnerabilities.md index 8bc1171..d68965c 100644 --- a/underscorejs-library-with-known-vulnerabilities.md +++ b/underscorejs-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Underscore.js library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/unencrypted-communications.md b/unencrypted-communications.md index 23afaed..a5aaf14 100644 --- a/unencrypted-communications.md +++ b/unencrypted-communications.md @@ -1,8 +1,8 @@ --- name: Unencrypted communications severity: high -cvss-score: 6.5 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N +cvss-score: 5.9 +cvss-vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N cwe-id: CWE-319 cwe-name: Cleartext Transmission of Sensitive Information compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/untrusted-tls-certificate.md b/untrusted-tls-certificate.md index 63af0e2..c054a45 100644 --- a/untrusted-tls-certificate.md +++ b/untrusted-tls-certificate.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/using-jwk-parameter-to-verify-jwts.md b/using-jwk-parameter-to-verify-jwts.md index 057ac42..7b05c38 100644 --- a/using-jwk-parameter-to-verify-jwts.md +++ b/using-jwk-parameter-to-verify-jwts.md @@ -2,14 +2,14 @@ name: Using jwk parameter to verify JWTs severity: high cvss-score: 7.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cwe-id: CWE-345 cwe-name: Insufficient Verification of Data Authenticity compliance: HIPAA: 164.306(a), 164.312(c)(1) - ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24 + ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24, A.8.25 owasp10: A8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/vuejs-library-with-known-vulnerabilities.md b/vuejs-library-with-known-vulnerabilities.md index c836edd..e48dd1a 100644 --- a/vuejs-library-with-known-vulnerabilities.md +++ b/vuejs-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: Vue.js library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/weak-cipher-suites-enabled.md b/weak-cipher-suites-enabled.md index 96ca0a2..0d0da00 100644 --- a/weak-cipher-suites-enabled.md +++ b/weak-cipher-suites-enabled.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.5.14, A.8.9, A.8.24 owasp10: A2 pci: 4.1, 6.5.4 - PCI v4.0: pci4-4.2.1, pci4-6.2.4 + PCI-DSS v4.0.1: 4.2.1, 6.2.4 --- diff --git a/weak-jwt-hmac-secret.md b/weak-jwt-hmac-secret.md index cd6e6a2..ef66cb0 100644 --- a/weak-jwt-hmac-secret.md +++ b/weak-jwt-hmac-secret.md @@ -2,14 +2,14 @@ name: Weak JWT HMAC secret severity: high cvss-score: 7.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cwe-id: CWE-345 cwe-name: Insufficient Verification of Data Authenticity compliance: HIPAA: 164.306(a), 164.312(c)(1) - ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24 + ISO 27001: A.8.2, A.8.3, A.8.5, A.8.24, A.8.25 owasp10: A8 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/wordpress-plugin-with-known-vulnerabilities.md b/wordpress-plugin-with-known-vulnerabilities.md index 063131f..c752d25 100644 --- a/wordpress-plugin-with-known-vulnerabilities.md +++ b/wordpress-plugin-with-known-vulnerabilities.md @@ -9,7 +9,7 @@ compliance: HIPAA: 164.306(a) owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/wordpress-version-with-known-vulnerabilities.md b/wordpress-version-with-known-vulnerabilities.md index bbef635..e56ba8c 100644 --- a/wordpress-version-with-known-vulnerabilities.md +++ b/wordpress-version-with-known-vulnerabilities.md @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 --- diff --git a/xml-external-entity-injection.md b/xml-external-entity-injection.md index 96420cb..27fca88 100644 --- a/xml-external-entity-injection.md +++ b/xml-external-entity-injection.md @@ -2,14 +2,14 @@ name: XML external entity injection severity: high cvss-score: 7.5 -cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +cvss-vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cwe-id: CWE-611 cwe-name: Improper Restriction of XML External Entity Reference compliance: HIPAA: 164.306(a) - ISO 27001: A.8.9 + ISO 27001: A.8.9, A.8.25 owasp10: A5 - PCI v4.0: pci4-6.2.4 + PCI-DSS v4.0.1: 6.2.4 --- diff --git a/yui-library-with-known-vulnerabilities.md b/yui-library-with-known-vulnerabilities.md index 61d16ae..61d7af5 100644 --- a/yui-library-with-known-vulnerabilities.md +++ b/yui-library-with-known-vulnerabilities.md @@ -2,7 +2,7 @@ name: YUI library with known vulnerabilities severity: low cvss-score: 4.8 -cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +cvss-vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N cwe-id: CWE-1035 cwe-name: OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities compliance: @@ -10,7 +10,7 @@ compliance: ISO 27001: A.8.9 owasp10: A5, A6 pci: '6.2' - PCI v4.0: pci4-6.2.4, pci4-6.3.3 + PCI-DSS v4.0.1: 6.2.4, 6.3.3 ---