OSS Index Helpclose
An open index of open source

 Welcome to the Bower Start Page

Posted by OSS-Index on May 21, 2016

Quick access to Bower auditing tools, search, and recent bower activity on OSS Index.

 Recent news...

Bower package vulnerability: libxmljs

[Dependency] Embedded dependency has multiple vulnerabilities
Wed Aug 02 20:15:47 EDT 2017

A vulnerable version of libxml2 is embedded within this package.

Bower package vulnerability: jstree

Cross Site Scripting (XSS)
Wed Aug 02 18:53:48 EDT 2017

> When using inline HTML to populate the tree, if the nodes contain HTML entities, the node text will contain those entities even though they aren't rendered. > > – github.com

Bower package vulnerability: dompurify

Cross Site Scripting (XSS)
Mon Jul 31 20:34:06 EDT 2017

It is possible to avoid the attribute name whitelist, allowing the setting of arbitrary javascript attributes.

Bower package vulnerability: m2m-supervisor

[Unconfirmed] Possible code execution
Sun Jul 30 21:19:47 EDT 2017

Possible arbitrary code execution is possible if unvalidated input is executed by the eval function.

Bower package vulnerability: agGrid

Cross Site Scripting (XSS)
Sun Jul 30 20:42:44 EDT 2017

With a column definition like: {headerName: "Name", field: "name"} a user can enter a name such as <span onclick="alert('hacked!')">John Smith</span> and effectively initiate a cross-site scripting attack.

Bower package vulnerability: ngDialog

Denial of Service (DoS)
Sun Jul 30 15:42:53 EDT 2017

> [Open] a dialog that has a custom listener for ngdialog.closing event: inside the listener we do a ui-router state reload $state.reload. > > This cause an infinite loop and makes your browser hang: Chrome, Safari

Bower package vulnerability: ljharb-qs

Prototype override protection bypass
Sun Jul 30 15:13:24 EDT 2017

A prototype override protection bypass is possible, which allows attackers to overwrite properties and functions. A previous solution for the problem is incomplete.

Bower package vulnerability: expressjs

Infinite Loop Caused By Undefined Status Code
Sun Jul 30 14:50:16 EDT 2017

An infinite error loop is caused when res.send(status) is undefined.

Bower package vulnerability: kelektiv-uuid

Insufficiently Random Values
Sun Jul 30 10:41:56 EDT 2017

This package uses math.random, which is insufficient for security purposes.

Bower package vulnerability: ejs.co

Remoter Code Execution
Sun Jul 30 10:21:46 EDT 2017

A remote code execution vulnerability was identified in this package for versions prior to 2.5.3

Package auditing tools

 Bower [DevAudit]