WS-2014-0004 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

WS-2014-0004 - Medium Severity Vulnerability

Vulnerable Library - validator-1.5.1.tgz

Data validation, filtering and sanitization for node.js

path: /curratelo/node_modules/validator/package.json

Library home page: http://registry.npmjs.org/validator/-/validator-1.5.1.tgz

Dependency Hierarchy:

• ❌ validator-1.5.1.tgz (Vulnerable Library)

Vulnerability Details

XSS Filter Bypass via Encoded URL.The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of bypassing the filter via an encoded URL has been publicly disclosed. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future

Publish Date: 2014-10-27

URL: WS-2014-0004

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/validator_XSS_Filter_Bypass_via_Encoded_URL

Release Date: 2014-10-27

Fix Resolution: Upgrade to the latest version of this library. However, it should be noted that the fix for this vulnerability was to remove the xss filter functionality. Seek another library to provide proper output encoding.

---

Step up your Open Source Security Game with WhiteSource here