First published: Thu May 31 2018(Updated: )
Affected versions of `backbone` are vulnerable to cross-site scripting when users are allowed to supply input to the `Model#Escape` function, and the output is then written to the DOM. The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take HTML Entities such as `<` into account. ## Recommendation Update to version 0.5.0 or later.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/backbone | <0.5.0 | 0.5.0 |
Backbone Project Backbone | <=0.3.3 | |
<=10.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2016-10537.
The severity of CVE-2016-10537 is medium with a CVSS score of 6.1.
Affected software includes Node.js Backbone module up to version 0.5.0, Backbone Project Backbone up to version 0.3.3, and IBM Security Verify Access Docker up to version 10.0.0.
CVE-2016-10537 is a cross-site scripting (XSS) vulnerability caused by improper input validation in the Model#Escape function of Node.js Backbone module. An attacker could inject malicious script into a web page, which would then be executed in the victim's browser.
To fix CVE-2016-10537, it is recommended to upgrade to a version of the affected software that has a fix available. For example, upgrading Node.js Backbone module to version 0.5.0 or newer.