Affected versions of
backbone are vulnerable to cross-site scripting when users are allowed to supply input to the
Model#Escape function, and the output is then written to the DOM.
The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take HTML Entities such as
< into account.
Update to version 0.5.0 or later.
publishedAdvisory publishedMay 23rd, 2016
reportedInitial report by UnknownMay 5th, 2016