Web Application Security Assessment: Components with Known Vulnerabilities Jessica Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are applied immediately. See how Web Application Security is assessed. API: GET Web Application Security Evidence: Components with Known Vulnerabilities Framework References Organization Framework OWASP A06:2021 - Vulnerable and Outdated Components CWE CWE-1104: Use of Unmaintained Third Party Component JavaScript Libraries with Known Vulnerabilities We found a JavaScript library in use that contains known vulnerabilities. Finding Message: Use of one or more JavaScript libraries with known vulnerabilities Grading & Conditions We grade these findings based on the Common Vulnerability Scoring System (CVSS) attributed to each Common Vulnerabilities and Exposures (CVE) present in all JavaScript libraries within that website. We generate a single finding for each scanned website based on the composite severity of all vulnerabilities (CVEs) found within that site. Each (hostname, port) combination is considered a separate website. CVSS Score Severity 0.0 Informational 0.1 - 3.9 Minor 4.0 - 6.9 Moderate 7.0 - 10.0 Material We take the number of vulnerabilities and their severities and add a finding based on the following grade scale. Minimum weight: 0 Maximum weight: 10101 Possible Grades: Weight = 0 Condition = The website has no known JavaScript vulnerabilities. Weight = Between >0 and <10 Condition = A maximum of two moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than zero and less than three. Weight = Between ≥10 and <1000 Condition = Between three and four moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than or equal to three and less than five. Weight = Between ≥1000 and ≤10101 Condition = At least one material severity vulnerability or multiple lower severity vulnerabilities were identified with a sum of individual weights that is equal to or greater than five. Mitigation Website owners should either upgrade the affected JavaScript libraries to versions that are not affected by known vulnerabilities or remove that dependency from the web application. March 4, 2025: Updated weights per changes implemented December 16, 2024. January 15, 2025: Linked finding messages. December 5, 2024: Moved to a more exclusive section. Related articles How is the Web Application Headers Risk Vector Assessed? How is the Web Application Security Risk Vector Assessed? GET Web Application Security Evidence: Components with Known Vulnerabilities Web Application Security Status and FAQ – June 24, 2025 Setting a DMARC Policy Feedback 0 comments Please sign in to leave a comment.