Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • M Jamil 7 posts 87 karma points notactivated
    Nov 17, 2022 @ 10:02
    M Jamil
    0

    OWASP scan vulnerability Detected

    Hi,

    We had recent OWASP scan for our site Umbraco v8.18.5 and there are few vulnerabilities detected by the scan.

    1- Handlebars (critical)

    The following version was identified as being out of date: Version: Handlebars v 4.7.6 Detected at: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.7.6/handlebars.min.js remote included
    Vulnerability Info:

    critical The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source - CVE-2021-23383

    critical The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source - CVE-2021-23369

    2- Axios (medium)

    The following version was identified as being out of date: Version: Axios v 0.20.0 Detected at: https://cdnjs.cloudflare.com/ajax/libs/axios/0.20.0/axios.min.js Vulnerability Info:

    high Axios is vulnerable to Inefficient Regular Expression Complexity CVE-2021-3749

    medium Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability CVE-2020-28168

    3- Moment.js (high)

    The following version was identified as being out of date: Version: moment.js v Detected at: 2.27.0 Vulnerability Info:

    high This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785

    high Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129

    I have found the moment.min.js but couldn't find the other 2 libraries?

  • Huw Reddick 1929 posts 6717 karma points MVP 2x c-trib
    Nov 22, 2022 @ 17:06
    Huw Reddick
    0

    Umbraco v8.18.6

    I am not aware this version exists, latest v8 is 8.18.5 !

  • M Jamil 7 posts 87 karma points notactivated
    Nov 30, 2022 @ 09:30
    M Jamil
    0

    Thank you for pointing out and sorry for the confusion, i meant to say v8.18.5, i have edited the post.

    Actually v8.18.6 is in the progress but release date is not yet determined. https://our.umbraco.com/download/releases/8186

    This version does includes backoffice dependencies upgrade and one of them is moment.js as came up in our scan. but no sure about the handlebars.min.js and axios.min.js.

    https://github.com/umbraco/Umbraco-CMS/pull/12919

  • Huw Reddick 1929 posts 6717 karma points MVP 2x c-trib
    Nov 30, 2022 @ 13:29
    Huw Reddick
    0

    not sure what those two are either I'm afraid

Please Sign in or register to post replies

Write your reply to:

Draft