Merge pull request #5941 from zapbot/retirejs-update

retire.js Update 2024-11-24
zaproxy · Nov 24, 2024 · 1f916d5 · 1f916d5
2 parents 3ea00b7 + 19245b1
commit 1f916d5
Showing 1 changed file with 39 additions and 18 deletions.
diff --git a/addOns/retire/src/main/resources/org/zaproxy/addon/retire/resources/jsrepository.json b/addOns/retire/src/main/resources/org/zaproxy/addon/retire/resources/jsrepository.json
@@ -2623,6 +2623,23 @@
           "https://github.com/dojo/dojo/pull/307"
         ]
       },
+      {
+        "below": "1.2.0",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser.",
+          "CVE": [
+            "CVE-2015-5654"
+          ],
+          "githubID": "GHSA-p82g-2xpp-m5r3"
+        },
+        "info": [
+          "https://nvd.nist.gov/vuln/detail/CVE-2015-5654"
+        ]
+      },
       {
         "atOrAbove": "1.2",
         "below": "1.2.4",
@@ -2717,23 +2734,6 @@
           "https://github.com/dojo/dojo/pull/307"
         ]
       },
-      {
-        "below": "1.9.1",
-        "severity": "medium",
-        "cwe": [
-          "CWE-79"
-        ],
-        "identifiers": {
-          "summary": "Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser.",
-          "CVE": [
-            "CVE-2015-5654"
-          ],
-          "githubID": "GHSA-p82g-2xpp-m5r3"
-        },
-        "info": [
-          "https://nvd.nist.gov/vuln/detail/CVE-2015-5654"
-        ]
-      },
       {
         "atOrAbove": "1.10.0",
         "below": "1.10.10",
@@ -5214,6 +5214,27 @@
           "https://github.com/advisories/GHSA-4p24-vmcr-4gqj"
         ]
       },
+      {
+        "atOrAbove": "1.4.0",
+        "below": "3.4.1",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes",
+          "CVE": [
+            "CVE-2024-6485"
+          ],
+          "githubID": "GHSA-vxmc-5x29-h64v"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-vxmc-5x29-h64v",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-6485",
+          "https://github.com/twbs/bootstrap",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-6485"
+        ]
+      },
       {
         "atOrAbove": "3.0.0",
         "below": "3.4.1",
@@ -6401,7 +6422,7 @@
       },
       {
         "below": "3.8.0",
-        "severity": "high",
+        "severity": "medium",
         "cwe": [
           "CWE-22"
         ],