RubyGems package
ember-source
pkg:gem/ember-source
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2013-4170 | — | < 1.0.0.rc1.1 | 1.0.0.rc1.1 | Jun 30, 2022 | In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a | ||
| CVE-2014-0014 | — | >= 1.0.0.pre4.0, < 1.0.1 | 1.0.1 | Feb 15, 2018 | Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application using the "{{group}}" Helper and a crafted payload. | ||
| CVE-2014-0013 | — | >= 1.0.0.pre4.0, < 1.0.1 | 1.0.1 | Feb 15, 2018 | Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application that contains templates whose context is set to a user-supplie | ||
| CVE-2015-1866 | Med | 6.1 | >= 1.10.0, < 1.10.1 | 1.10.1 | Sep 20, 2017 | Cross-site scripting (XSS) vulnerability in Ember.js 1.10.x before 1.10.1 and 1.11.x before 1.11.2. | |
| CVE-2015-7565 | Med | 6.1 | >= 1.8.0, < 1.11.4 | 1.11.4 | Apr 13, 2017 | Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x through 1.10.x, 1.11.x before 1.11.4, 1.12.x before 1.12.2, 1.13.x before 1.13.12, 2.0.x before 2.0.3, 2.1.x before 2.1.2, and 2.2.x before 2.2.1 allows remote attackers to inject arbitrary web script or HTML. | |
| CVE-2014-0046 | — | >= 1.2.0, < 1.2.2 | 1.2.2 | Feb 27, 2014 | Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute. |
- CVE-2013-4170Jun 30, 2022affected < 1.0.0.rc1.1fixed 1.0.0.rc1.1
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a
- CVE-2014-0014Feb 15, 2018affected >= 1.0.0.pre4.0, < 1.0.1fixed 1.0.1
Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application using the "{{group}}" Helper and a crafted payload.
- CVE-2014-0013Feb 15, 2018affected >= 1.0.0.pre4.0, < 1.0.1fixed 1.0.1
Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application that contains templates whose context is set to a user-supplie
- affected >= 1.10.0, < 1.10.1fixed 1.10.1
Cross-site scripting (XSS) vulnerability in Ember.js 1.10.x before 1.10.1 and 1.11.x before 1.11.2.
- affected >= 1.8.0, < 1.11.4fixed 1.11.4
Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x through 1.10.x, 1.11.x before 1.11.4, 1.12.x before 1.12.2, 1.13.x before 1.13.12, 2.0.x before 2.0.3, 2.1.x before 2.1.2, and 2.2.x before 2.2.1 allows remote attackers to inject arbitrary web script or HTML.
- CVE-2014-0046Feb 27, 2014affected >= 1.2.0, < 1.2.2fixed 1.2.2
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.