Witam WebHMI,
Good to report this issue and then get a final verdict from avast team, whether this is indeed an FP.
Also consider there are at least two more vendors that flag that website as malicious:
https://www.virustotal.com/gui/url/58d860b4ea97461b9ac8489264fd0b7c7fa33e0319049667167dd73f982082cbHowever the following retire.js library issues should be looked into:
bootstrap 3.3.7 Found in -https://level2.webhmi.com.ua/public/js/libs/bootstrap.js?85a31cf4 _____Vulnerability info:
Medium 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331 1
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
Medium XSS is possible in the data-target attribute. CVE-2016-10735
handlebars 4.0.11 Found in -https://level2.webhmi.com.ua/public/js/main.js?0952e4e0 _____Vulnerability info:
High A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template
High A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template
Low Disallow calling helperMissing and blockHelperMissing directly
Medium Prototype pollution
jquery 1.10.2.min Found in -https://level2.webhmi.com.ua/assets/js/vendor/jquery-1.10.2.min.js _____Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Medium CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution 123
Medium CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
moment.js 2.15.1 Found in -https://level2.webhmi.com.ua/public/js/libs/moment.js?6a270a2f _____Vulnerability info:
Medium Regular Expression Denial of Service (ReDoS)
Low Regular Expression Denial of Service (ReDoS) CVE-2017-18214
pozdrawiam,
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)