// For flags

CVE-2019-14862

knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

Hay una vulnerabilidad en knockout versiones anteriores a la versión 3.5.0-beta, donde después de escapar del contexto de la aplicación web, la aplicación web entrega datos a sus usuarios junto con otro contenido dinámico seguro, sin comprobarlo.

Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.5.1 serves as an update to Red Hat Decision Manager 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a cross site scripting vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-02-03 First Exploit
  • 2019-08-10 CVE Reserved
  • 2019-12-03 CVE Published
  • 2024-08-05 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Knockoutjs
Search vendor "Knockoutjs"
 Knockout
Search vendor "Knockoutjs" for product "Knockout"
 <= 3.4.2
Search vendor "Knockoutjs" for product "Knockout" and version " <= 3.4.2"
-
Affected
Redhat
Search vendor "Redhat"
 Decision Manager
Search vendor "Redhat" for product "Decision Manager"
 7.0
Search vendor "Redhat" for product "Decision Manager" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Process Automation
Search vendor "Redhat" for product "Process Automation"
 7.0
Search vendor "Redhat" for product "Process Automation" and version "7.0"
-
Affected
Oracle
Search vendor "Oracle"
 Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
 5.5.0.0.0
Search vendor "Oracle" for product "Business Intelligence" and version "5.5.0.0.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
 Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
 12.2.1.3.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
 Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
 12.2.1.4.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
 Goldengate
Search vendor "Oracle" for product "Goldengate"
 12.3.0.1.2
Search vendor "Oracle" for product "Goldengate" and version "12.3.0.1.2"
-
Affected