⇤ How is the Web Application Security Risk Vector Assessed?
Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are applied immediately.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A06:2021 - Vulnerable and Outdated Components |
| CWE | CWE-1104: Use of Unmaintained Third Party Component |
JavaScript Libraries with Known Vulnerabilities
We found a JavaScript library in use that contains known vulnerabilities.
Grading
We grade these findings based on the Common Vulnerability Scoring System (CVSS) attributed to each Common Vulnerabilities and Exposures (CVE) present in all JavaScript libraries within that website.
We generate a single finding for each scanned website based on the composite severity of all vulnerabilities (CVEs) found within that site. Each (hostname, port) combination is considered a separate website.
To calculate the composite severity, we assign a weight to each vulnerability based on its CVSS score.
| CVSS Score | Severity | Weight |
|---|---|---|
| 0.0 | Informational | 0 |
| 0.1 - 3.9 | Minor | 0.1 |
| 4.0 - 6.9 | Moderate | 1 |
| 7.0 - 10.0 | Material | 10 |
We take the sum of the individual weights of each vulnerability and add a finding based on the following grade scale.
| Criteria | Score | Grade |
|---|---|---|
| The website has no known JavaScript vulnerabilities. | 0 | GOOD |
| A maximum of two moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than zero and less than three. | 0 < sum(weights) < 3 | FAIR |
| Between three and four moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than or equal to three and less than five. | 3 <= sum(weights) < 5 | WARN |
| At least one material severity vulnerability or multiple lower severity vulnerabilities were identified with a sum of individual weights that is equal to or greater than five. | sum(weights) >= 5 | BAD |
Mitigation
Website owners should either upgrade the affected JavaScript libraries to versions that are not affected by known vulnerabilities or remove that dependency from the web application.