CVE-2019-14862

CWE-79 — Cross-site Scripting (XSS)11 documents8 sources

Severity

6.1MEDIUM

EPSS

0.2%

top 53.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Knockoutjs Knockout RED HAT Knockout Oracle Business Intelligence +3 more

Timeline

PublishedJan 2

Latest updateApr 15

Description

There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages8 packages

▶npmknockout< 3.5.0

▶Debiannode-knockout< 3.4.2-3+3

▶NVDknockoutjs/knockout3.4.2

▶CVEListV5red_hat/knockoutall knockout versions before 3.5.0-beta

▶NVDoracle/goldengate12.3.0.1.2

Patches

Patch: bugzilla.redhat.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

XSS in knockout↗2020-04-01

▶

GHSA

XSS in knockout↗2020-04-01

▶

OSV

CVE-2019-14862: There is a vulnerability in knockout before version 3↗2020-01-02

▶

CVEList

CVE-2019-14862: There is a vulnerability in knockout before version 3↗2020-01-02

▶

📋Vendor Advisories

Oracle

Oracle Oracle GoldenGate Risk Matrix: Internal Framework (Knockout) — CVE-2019-14862↗2022-04-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Analytics Server (Knockout) — CVE-2019-14862↗2021-01-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: BI Platform Security (Knockout) — CVE-2019-14862↗2020-07-15

▶

Red Hat

knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.↗2019-10-15

▶

Debian

CVE-2019-14862: node-knockout - There is a vulnerability in knockout before version 3.5.0-beta, where after esca...↗2019

▶

💬Community

Bugzilla

CVE-2019-14862 knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.↗2019-10-21

▶