Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Web Application Security Assessment: Components with Known Vulnerabilities

Jessica

⇤ How is the Web Application Security Risk Vector Assessed?

Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are applied immediately.

Framework References

Organization Framework
OWASP A06:2021 - Vulnerable and Outdated Components
CWE CWE-1104: Use of Unmaintained Third Party Component

JavaScript Libraries with Known Vulnerabilities

We found a JavaScript library in use that contains known vulnerabilities.

Finding Message: Use of one or more JavaScript libraries with known vulnerabilities

Grading & Conditions

We grade these findings based on the Common Vulnerability Scoring System (CVSS) attributed to each Common Vulnerabilities and Exposures (CVE) present in all JavaScript libraries within that website.

We generate a single finding for each scanned website based on the composite severity of all vulnerabilities (CVEs) found within that site. Each (hostname, port) combination is considered a separate website.

CVSS Score Severity
0.0 Informational
0.1 - 3.9 Minor
4.0 - 6.9 Moderate
7.0 - 10.0 Material

We take the number of vulnerabilities and their severities and add a finding based on the following grade scale.

Minimum weight: 0

Maximum weight: 10101

Possible Grades:

GOOD

Weight = 0

Condition = The website has no known JavaScript vulnerabilities.

FAIR

Weight = Between >0 and <10

Condition = A maximum of two moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than zero and less than three.

WARN

Weight = Between ≥10 and <1000

Condition = Between three and four moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than or equal to three and less than five.

BAD

Weight = Between ≥1000 and ≤10101

Condition = At least one material severity vulnerability or multiple lower severity vulnerabilities were identified with a sum of individual weights that is equal to or greater than five.

Mitigation

Website owners should either upgrade the affected JavaScript libraries to versions that are not affected by known vulnerabilities or remove that dependency from the web application.

  • March 4, 2025: Updated weights per changes implemented December 16, 2024.
  • January 15, 2025: Linked finding messages.
  • December 5, 2024: Moved to a more exclusive section.

Related articles

Feedback

0 comments

Please sign in to leave a comment.