Web Application Security Assessment: Components with Known Vulnerabilities

Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are applied immediately.

See how Web Application Security is assessed.

API: GET Web Application Security Evidence: Components with Known Vulnerabilities

Framework References

JavaScript Libraries with Known Vulnerabilities

We found a JavaScript library in use that contains known vulnerabilities.

Finding Message: Use of one or more JavaScript libraries with known vulnerabilities

Grading & Conditions

We grade these findings based on the Common Vulnerability Scoring System (CVSS) attributed to each Common Vulnerabilities and Exposures (CVE) present in all JavaScript libraries within that website.

We generate a single finding for each scanned website based on the composite severity of all vulnerabilities (CVEs) found within that site. Each (hostname, port) combination is considered a separate website.

We take the number of vulnerabilities and their severities and add a finding based on the following grade scale.

Minimum weight: 0

Maximum weight: 10101

Possible Grades:

Weight = 0

Condition = The website has no known JavaScript vulnerabilities.

Weight = Between >0 and <10

Condition = A maximum of two moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than zero and less than three.

Weight = Between ≥10 and <1000

Condition = Between three and four moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than or equal to three and less than five.

Weight = Between ≥1000 and ≤10101

Condition = At least one material severity vulnerability or multiple lower severity vulnerabilities were identified with a sum of individual weights that is equal to or greater than five.

Mitigation

Website owners should either upgrade the affected JavaScript libraries to versions that are not affected by known vulnerabilities or remove that dependency from the web application.