Plattform
ruby
Komponente
ember-source
Behoben in
1.2.2
CVE-2014-0046 describes a Cross-Site Scripting (XSS) vulnerability discovered in Ember.js, a JavaScript framework. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into a user's browser. The issue affects versions of Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6. A fix is available in versions 1.2.2 and later.
Successful exploitation of CVE-2014-0046 can lead to a variety of malicious outcomes. An attacker could inject malicious JavaScript code that steals user cookies, redirects users to phishing sites, or defaces the web application. The impact is particularly severe in applications that handle sensitive user data or perform critical operations. Because the vulnerability resides in the link-to helper, any application utilizing this helper is potentially vulnerable. The attacker leverages the title attribute within the helper to inject the malicious payload, bypassing typical input sanitization measures if not properly implemented.
CVE-2014-0046 was published on August 28, 2018. While no widespread active exploitation campaigns have been definitively linked to this specific CVE, XSS vulnerabilities are consistently targeted by attackers. There are publicly available proof-of-concept (POC) exploits demonstrating the vulnerability's impact. This CVE is not currently listed on CISA KEV or EPSS, suggesting a low to medium probability of exploitation given its age and the availability of a straightforward fix.
Exploit-Status
EPSS
0.43% (63% Perzentil)
The primary mitigation for CVE-2014-0046 is to upgrade to a patched version of Ember.js, specifically version 1.2.2 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and output encoding on the title attribute of the link-to helper. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Reviewing and hardening the application's overall security posture, including implementing Content Security Policy (CSP), is also recommended to reduce the attack surface.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2014-0046 is a Cross-Site Scripting (XSS) vulnerability affecting Ember.js versions 1.2.x, 1.3.x, and 1.4.x before 1.2.2, 1.3.2, and 1.4.0-beta.6. It allows attackers to inject scripts via the title attribute in the link-to helper.
You are affected if your application uses Ember.js versions 1.2.x before 1.2.2, 1.3.x before 1.3.2, or 1.4.x before 1.4.0-beta.6. Check your Ember.js version using npm list ember.
Upgrade to Ember.js version 1.2.2 or later. If upgrading is not possible, implement stricter input validation and output encoding on the title attribute.
While no widespread active campaigns are definitively linked, XSS vulnerabilities are frequently targeted. Public POCs exist, indicating potential for exploitation.
Refer to the Ember.js security advisories and release notes for details: https://discuss.emberjs.com/t/ember-js-security-advisories/13283
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.