CVE-2019-14862: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
There is a vulnerability in knockout, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
References
- bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14862
- github.com/advisories/GHSA-vcjj-xf2r-mwvc
- github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb
- github.com/knockout/knockout/issues/1244
- github.com/knockout/knockout/pull/2345
- nvd.nist.gov/vuln/detail/CVE-2019-14862
- snyk.io/vuln/npm:knockout:20180213
- www.oracle.com/security-alerts/cpujan2021.html
- www.oracle.com/security-alerts/cpujul2020.html
- www.whitesourcesoftware.com/vulnerability-database/WS-2019-0015
Detect and mitigate CVE-2019-14862 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →