False positive on https://nz.tradevine.com/

Hi, I am suddenly getting what I believe are false positives on this site I have used daily for years. Can you white list it, screen shot enclosed below. Donal

Forgot to mention, same issue of firefox and chrome

Nothing found here - https://www.virustotal.com/gui/url/35839703d6577265c1b6a0ea2bfd1a59ca04bd6ec0228af055c2ddf9773df451?nocache=1

Minimal Security Risk reported here - https://quttera.com/detailed_report/nz.tradevine.com - however there are lots of external links that could have an impact.

Some security pointers reported here - https://en.internet.nl/site/nz.tradevine.com/2746641/

Low Risk reported here - https://sitecheck.sucuri.net/results/nz.tradevine.com - but with some security pointers.

Additionally to what DavidR found: https://radar.cloudflare.com/scan/8d8207ba-ddc8-4de9-abe1-0f13a849b953/security

SafeToOpen extension blocks site as malicious.

polonus

Still reported: Safe to Open extension, see screenshot below.

Website needs some overhauling - reported retirable code libraries:

handlebars 1.0.beta.6 Found in -https://nz.tradevine.com/combres.axd/siteJs/365697167/ _____Vulnerability info: Medium poorly sanitized input passed to eval() 68 1 Medium Quoteless attributes in templates can lead to XSS 1083 CVE-2015-8861 GHSA-9prh-257w-9277 1 High A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template 1495 GHSA-q42p-pg8m-cqh6 123 High Disallow calling helperMissing and blockHelperMissing directly 44 CVE-2019-19919 GHSA-w457-6q6x-cgp9 1 High Prototype pollution 45 GHSA-g9r4-xpmj-mj65 1 High Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS). GHSA-3cqr-58rm-57f8 CVE-2019-20920 1 High Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](-https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting) GHSA-q2c6-c6pm-g3gh 1 High Versions of `handlebars` prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:

{{#with split as |a|}}
{{pop (push "alert('Vulnerable Handlebars JS');")}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 a)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}```


## Recommendation

Upgrade to version 3.0.8, 4.5.2 or later. GHSA-2cf5-4w76-r9qv	1
Medium	Denial of service 1633	1
High	Prototype Pollution in handlebars 71 CVE-2021-23383 GHSA-765h-qjxv-5f44	1
High	Remote code execution in handlebars when compiling templates CVE-2021-23369 GHSA-f2jv-r9rf-7988	1
jquery-ui-dialog	1.9.2	Found in -https://nz.tradevine.com/combres.axd/siteJs/365697167/ _____Vulnerability info:
Medium	CVE-2010-5312 6016 Title cross-site scripting vulnerability GHSA-wcm2-9c89-wmfm	12
Medium	CVE-2016-7103 281 XSS Vulnerability on closeText option GHSA-hpcf-8vf9-q4gj	123
jquery-ui-tooltip	1.9.2	Found in -https://nz.tradevine.com/combres.axd/siteJs/365697167/ _____Vulnerability info:
Medium	CVE-2012-6662 8859 Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip GHSA-qqxp-xp9v-vvx6	12
jquery-ui	1.9.2	Found in -https://nz.tradevine.com/combres.axd/siteJs/365697167/ _____Vulnerability info:
Medium	XSS when refreshing checkboxes if usercontrolled data in labels 2101 CVE-2022-31160 GHSA-h6gj-6jjq-h8g9	1234
Medium	CVE-2021-41184 XSS in the `of` option of the `.position()` util GHSA-gpqq-952q-5327	12
Medium	CVE-2021-41183 15284 XSS Vulnerability on text options of jQuery UI datepicker GHSA-j7qv-pgf6-hvh4	12
Medium	CVE-2021-41182 XSS in the `altField` option of the Datepicker widget GHSA-9gj3-hwp5-pmwc	12
Medium	CVE-2022-31160 XSS when refreshing a checkboxradio with an HTML-like initial text label GHSA-h6gj-6jjq-h8g9</blockquote>
source - retire.js

This website has been used to host malicious content. Avoid entering any sensitive information or downloading files from it,

polonus

But according to the retire.js report, this maintenance is advisable:

Upgrade the handlebars library to version 3.0.8, 4.5.2, or later to address multiple high-risk vulnerabilities related to Arbitrary Code Execution, Prototype Pollution, Remote Code Execution, and Denial of Service.

Conduct a thorough review of the application code to ensure that poorly sanitized input is not passed to eval()
and that quoteless attributes in templates are properly handled to prevent XSS vulnerabilities.

Monitor and patch vulnerabilities in other libraries such as jquery-ui-dialog and jquery-ui-tooltip to mitigate risks
associated with Cross-Site Scripting (XSS) attacks.

Stay informed about the latest security advisories and updates for all libraries used in the application
to proactively address any potential vulnerabilities.

polonus

Cooperation with A.I. produced: "Exactly, AI acts as a powerful tool for hinting and illuminating security issues by aggregating, analyzing, and interpreting vast amounts of data simultaneously. This capability allows AI to uncover hidden patterns, trends, and anomalies within datasets that may not be immediately apparent to human analysts.

By processing and synthesizing large volumes of data in real-time, AI can provide valuable hints and insights into potential security threats, vulnerabilities, and risks that may exist within a system or network. This aggregated data can shed light on the overall security posture of an organization, identifying weaknesses and areas for improvement to enhance cybersecurity defenses.

Furthermore, AI’s ability to analyze data from multiple sources and in various formats enables it to provide a comprehensive view of the security landscape, helping organizations better understand the potential impact of security events and make informed decisions to mitigate risks.

Overall, AI serves as a valuable hinting and lighting tool in the realm of cybersecurity, empowering organizations to proactively identify and address security challenges by leveraging the vast amounts of data available to them. By harnessing the analytical power of AI, organizations can bolster their defenses, detect threats early, and safeguard their critical assets from cyber attacks.".

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)