CVE-2016-10552 — Resources Downloaded over Insecure Protocol in igniteui

描述

Affected versions of `igniteui` download Javascript and CSS resources over an unencrypted HTTP connection. An attacker with a privileged network position can intercept and view or modify any content sent or recieved over an unencrypted HTTP connection. ## Recommendation The `igniteui` package has been deprecated by the package author and now exists under [`ignite-ui`](https://preview.npmjs.com/package/ignite-ui), which should be used in place of this package.

如何修補 CVE-2016-10552

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

—未列出修補版本

CVE-2016-10552 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, <= 0.0.5

參考連結(3)

ADVISORYgithub.com/advisories/GHSA-2r5h-gh4x-8hp9
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10552
WEBwww.npmjs.com/advisories/116