Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-15097

Moment vulnerability

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • 13.4.17, 14.7.6, 15.0.0
    • 13.4.18, 14.7.8, 15.1.0
    • None
    • None
    • 0
    • Quasar
    • Team Quasar Sprint 288

    Description

      File Path: /var/lib/jenkins/workspace/xm_dependency-check_release_15.1/enterprise/targeting/frontend-api/package-lock.json?moment

       

      NPM-1069972  suppress

       

          1. Impact This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale. ### Patches This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive). ### Workarounds Sanitize user-provided locale name before passing it to moment.js. ### References Are there any links users can visit to find out more? ### For more information If you have any questions or comments about this advisory: * Open an issue in [moment repo](https://github.com/moment/moment)

      Unscored:

      • Severity: high

      References:

       

      Vulnerable Software & Versions (NPM):

      • cpe:2.3:a::moment:\<2.29.2:::::::

      Attachments

        Activity

          People

            dhachok Dmytro Hachok
            dhachok Dmytro Hachok
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: