Vulnerability Description
backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input. This is due to the regex that's replacing things to miss the conversion of things such as `<` to `<`.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Backbone Project | Backbone | <= 0.3.3 |
Related Weaknesses (CWE)
References
- https://github.com/jashkenas/backbone/compare/0.3.3...0.5.0#diff-0d56d0d310de7ffIssue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/108Third Party Advisory
- https://github.com/jashkenas/backbone/compare/0.3.3...0.5.0#diff-0d56d0d310de7ffIssue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/108Third Party Advisory
FAQ
What is CVE-2016-10537?
CVE-2016-10537 is a vulnerability with a CVSS score of 5.4 (MEDIUM). backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site ...
How severe is CVE-2016-10537?
CVE-2016-10537 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10537?
Check the references section above for vendor advisories and patch information. Affected products include: Backbone Project Backbone.