Practical Security Guides For Your Team

Your application uses an outdated version of Lodash, a very common JavaScript helper library. This version has a flaw that could allow someone to corrupt core JavaScript functionality in your app, potentially causing it to crash or behave unexpectedly. A fix is available and is a straightforward upgrade.

Your application uses an outdated version of a popular JavaScript helper library called Lodash. This version has a known weakness where a malicious user can send specially crafted text input that causes the server to get stuck processing it — like a tongue-twister that freezes a voice assistant. The fix is a straightforward library update.

Your website uses an outdated version of React (a popular tool for building web pages) that has a known security flaw. If your site generates pages on the server and allows user input to influence how those pages are built, an attacker could inject malicious code that runs in your visitors' browsers. This only affects server-rendered React apps — if your site is purely client-side, you are not at risk.

Your website uses an old version of jQuery (a common JavaScript tool) that has a known security flaw. If your site processes any HTML content from users or external sources, that content could contain hidden instructions that run automatically — without any warning. Upgrading jQuery to a modern version closes this gap.

Your website uses AngularJS 1.x, an old JavaScript framework that was officially retired in early 2022 and will never receive security updates again. A known flaw in this version can allow malicious scripts to run in a visitor's browser under specific conditions. Because the framework is no longer maintained, this particular vulnerability has no official patch — the real fix is to plan a migration to a modern framework.

Your website has a security header called a Content Security Policy (CSP) — think of it like a bouncer that controls which scripts are allowed to run on your pages. Right now, two settings in that policy ('unsafe-inline' and 'unsafe-eval') are telling the bouncer to let almost anyone in, which largely defeats the purpose of having one. This is a defence layer that isn't doing its job properly, not an active attack.

Your application is using an old version of Moment.js, a popular tool for handling dates and times. This version has a known weakness: if someone sends it a very long, specially crafted piece of text, it can cause your app to freeze or become unresponsive while it tries to process it. Think of it like a lock that jams when you insert a bent key — the door stops working for everyone until the jam clears.

Your website uses an outdated version of jQuery (3.3.1), a popular JavaScript library. This version has a known flaw that could allow an attacker to tamper with how your web pages behave — but only if they can first get crafted data into a specific part of your site. Think of it like a faulty lock on an internal door: it's worth replacing, but someone still needs to get through the front door first.

Your server's SSH service — the secure tunnel used for remote administration — is configured with encryption options that have a known flaw. An attacker positioned between your server and a connecting administrator (for example, on the same network) could quietly weaken that tunnel during the initial handshake, potentially stripping away some security protections before either side notices. Think of it like a tampered lock that looks fine from the outside but is slightly easier to pick.

Your web server is compressing responses using gzip or Brotli, which is a common performance feature. However, a known attack technique called BREACH can exploit this compression to gradually piece together sensitive data — like login tokens or session cookies — from your encrypted traffic. Importantly, this only becomes a real risk if your site also reflects user input and serves secrets (like security tokens) in the same page response.

Your website uses an outdated version of Bootstrap — a popular design toolkit used by millions of websites. The version in use has a known flaw in its collapsible panel feature that could allow someone to inject malicious code into your pages if they can influence the content on your site. This is a medium-priority issue: it requires specific conditions to exploit, but it is a well-documented vulnerability with a straightforward fix.

Your website can be visited over plain HTTP (unencrypted), and it doesn't automatically send visitors to the secure HTTPS version. Any user who lands on an HTTP link — from an old email, a bookmark, or a mistyped URL — will have their connection left unprotected. Think of it like a shop that has a secure back entrance but leaves the front door unlocked with no sign pointing visitors to the right way in.