Vulnerable Library - pdfmake-0.2.6.tgz

Client/server side PDF printing in pure JavaScript

Library home page: https://registry.npmjs.org/pdfmake/-/pdfmake-0.2.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pdfmake/package.json

Dependency Hierarchy:

• ❌ pdfmake-0.2.6.tgz (Vulnerable Library)

Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924

Found in base branch: master

Vulnerability Details

pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.

Publish Date: 2022-12-06

URL: CVE-2022-46161

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - jquery-2.2.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js

Path to dependency file: /public/FieldsLinker/v0.80/index.html

Path to vulnerable library: /public/FieldsLinker/v0.80/index.html

Dependency Hierarchy:

• ❌ jquery-2.2.4.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - guzzlehttp/guzzle-dev-master

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96

Dependency Hierarchy:

• ❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Publish Date: 2022-05-25

URL: CVE-2022-29248

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248

Release Date: 2022-05-25

Fix Resolution: guzzlehttp/guzzle - 6.5.6,guzzlehttp/guzzle - 7.4.3

Vulnerable Library - angular-1.8.0.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js

Path to dependency file: /public/folder-list.html

Path to vulnerable library: /public/folder-list.html

Dependency Hierarchy:

• ❌ angular-1.8.0.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26116

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Vulnerable Libraries - lodash-4.17.12-pre.js, lodash-4.17.12-pre.min.js

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - angular-1.6.1.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.min.js

Path to dependency file: /public/folder-list.html

Path to vulnerable library: /public/folder-list.html

Dependency Hierarchy:

• ❌ angular-1.6.1.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code. Publish Date: 2020-06-08 URL: CVE-2020-7676 CVSS 3 Score Details (5.4) Base Score Metrics: Exploitability Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Impact Metrics: Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None For more information on CVSS3 Scores, click here. Suggested Fix Type: Upgrade version Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676 Release Date: 2020-10-09 Fix Resolution: 1.8.0 Step up your Open Source Security Game with WhiteSource here

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html

Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - lodash-4.17.12-pre.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.js

Path to dependency file: /public/vuetify-list-collapse/dist/index.html

Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html

Dependency Hierarchy:

• ❌ lodash-4.17.12-pre.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: lodash - 4.17.19

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html

Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Vulnerable Library - lodash-4.17.4.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.4/lodash.js

Path to dependency file: /public/vuetify-list-collapse/dist/index.html

Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html

Dependency Hierarchy:

• ❌ lodash-4.17.4.js (Vulnerable Library)

Found in HEAD commit: 15cc9efdaeabeb85fb3c81374617aea9d4a54929

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /public/FieldsLinker/v0.80/index.html

Path to vulnerable library: /public/FieldsLinker/v0.80/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Vulnerable Library - angular-1.8.0.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js

Path to dependency file: /public/folder-list.html

Path to vulnerable library: /public/folder-list.html

Dependency Hierarchy:

• ❌ angular-1.8.0.min.js (Vulnerable Library)

Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924

Found in base branch: master

Vulnerability Details

The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. Note: 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.

Publish Date: 2022-05-01

URL: CVE-2022-25844

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html

Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - es5-ext-0.10.62.tgz

ECMAScript extensions and shims

Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.62.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• pdfmake-0.2.7.tgz (Root Library)
  • linebreak-1.1.1.tgz
    • brfs-2.0.2.tgz
      • static-module-3.0.4.tgz
        • scope-analyzer-2.1.2.tgz
          • es6-map-0.1.5.tgz
            • ❌ es5-ext-0.10.62.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy or function#toStringTokens may cause the script to stall. The vulnerability is patched in v0.10.63.

Publish Date: 2024-02-26

URL: CVE-2024-27088

CVSS 3 Score Details (0.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088

Release Date: 2024-02-26

Fix Resolution (es5-ext): 0.10.63

Direct dependency fix Resolution (pdfmake): 0.2.8

Vulnerable Library - angular-1.8.0.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js

Path to dependency file: /public/folder-list.html

Path to vulnerable library: /public/folder-list.html

Dependency Hierarchy:

• ❌ angular-1.8.0.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26117

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Vulnerable Library - twig/twig-2.x-dev

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/c953a77b23d10c47d2b7e5ad0d062e690bd647c9

Dependency Hierarchy:

• ❌ twig/twig-2.x-dev (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Twig is an open source template language for PHP. When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the sort filter as is the case for some other filters. Users are advised to upgrade.

Publish Date: 2022-02-04

URL: CVE-2022-23614

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-23614

Release Date: 2022-02-04

Fix Resolution: v2.14.11,v3.3.8

Vulnerable Library - postcss-8.4.22.tgz

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.22.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• datatables.net-plugins-1.13.4.tgz (Root Library)
  • prettier-plugin-x-0.0.10.tgz
    • x-formatter-0.0.2.tgz
      • formatter-2021-01-0.0.1-rc01.tgz
        • postcss-less-4.0.1.tgz
          • ❌ postcss-8.4.22.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /public/FieldsLinker/v0.80/index.html

Path to vulnerable library: /public/FieldsLinker/v0.80/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Vulnerable Library - guzzlehttp/guzzle-dev-master

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96

Dependency Hierarchy:

• ❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Guzzle is an open source PHP HTTP client. In affected versions the Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any Cookie header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

Publish Date: 2022-06-10

URL: CVE-2022-31042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f2wf-25xc-69c9

Release Date: 2022-06-10

Fix Resolution: 6.5.7,7.4.4

Vulnerable Library - httpv1.8.0

Event-driven, streaming HTTP client and server implementation for ReactPHP.

Library home page: https://github.com/reactphp/http.git

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerable Source Files (1)

/vendor/react/http/src/Io/MultipartParser.php

Vulnerability Details

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.

Publish Date: 2023-05-17

URL: CVE-2023-26044

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26044

Release Date: 2023-05-17

Fix Resolution: v1.9.0

Vulnerable Library - crypto-js-4.1.1.tgz

JavaScript library of crypto standards.

Library home page: https://registry.npmjs.org/crypto-js/-/crypto-js-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• pdfmake-0.2.7.tgz (Root Library)
  • pdfkit-0.13.0.tgz
    • ❌ crypto-js-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.

Publish Date: 2023-10-25

URL: CVE-2023-46233

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-46233

Release Date: 2023-10-25

Fix Resolution: crypto-js - 4.2.0

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• datatables.net-plugins-1.13.4.tgz (Root Library)
  • prettier-plugin-x-0.0.10.tgz
    • x-formatter-0.0.2.tgz
      • formatter-2021-01-0.0.1-rc01.tgz
        • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - lodash-4.17.12-pre.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.js

Path to dependency file: /public/vuetify-list-collapse/dist/index.html

Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html

Dependency Hierarchy:

• ❌ lodash-4.17.12-pre.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - xmldom-0.7.5.tgz

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Library home page: https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@xmldom/xmldom/package.json

Dependency Hierarchy:

• video.js-7.20.3.tgz (Root Library)
  • mpd-parser-0.21.1.tgz
    • ❌ xmldom-0.7.5.tgz (Vulnerable Library)

Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable.

Publish Date: 2022-10-11

URL: CVE-2022-37616

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37616

Release Date: 2022-10-11

Fix Resolution: @xmldom/xmldom - 0.8.3

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /public/FieldsLinker/v0.80/index.html

Path to vulnerable library: /public/FieldsLinker/v0.80/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Vulnerable Library - angular-1.8.0.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js

Path to dependency file: /public/folder-list.html

Path to vulnerable library: /public/folder-list.html

Dependency Hierarchy:

• ❌ angular-1.8.0.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26118

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Vulnerable Library - angular-1.8.0.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js

Path to dependency file: /public/folder-list.html

Path to vulnerable library: /public/folder-list.html

Dependency Hierarchy:

• ❌ angular-1.8.0.min.js (Vulnerable Library)

Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924

Found in base branch: master

Vulnerability Details

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.

Publish Date: 2022-07-15

URL: CVE-2022-25869

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /public/FieldsLinker/v0.80/index.html

Path to vulnerable library: /public/FieldsLinker/v0.80/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Vulnerable Library - axios-0.19.2.min.js

Promise based HTTP client for the browser and node.js

Library home page: https://cdnjs.cloudflare.com/ajax/libs/axios/0.19.2/axios.min.js

Path to dependency file: /public/vue.html

Path to vulnerable library: /public/vue.html

Dependency Hierarchy:

• ❌ axios-0.19.2.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution: axios - 0.21.1

Vulnerable Library - lodash-4.17.4.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.4/lodash.js

Path to dependency file: /public/vuetify-list-collapse/dist/index.html

Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html

Dependency Hierarchy:

• ❌ lodash-4.17.4.js (Vulnerable Library)

Found in HEAD commit: 15cc9efdaeabeb85fb3c81374617aea9d4a54929

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2020-09-30

Fix Resolution: 4.17.11

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /public/FieldsLinker/v0.80/index.html

Path to vulnerable library: /public/FieldsLinker/v0.80/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /public/FieldsLinker/v0.80/index.html

Path to vulnerable library: /public/FieldsLinker/v0.80/index.html

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Vulnerable Library - guzzlehttp/guzzle-dev-master

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96

Dependency Hierarchy:

• ❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Guzzle, an extensible PHP HTTP client. Authorization headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the CURLOPT_HTTPAUTH option to specify an Authorization header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the CURLOPT_HTTPAUTH option before continuing, stopping curl from appending the Authorization header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

Publish Date: 2022-06-27

URL: CVE-2022-31090

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-25mq-v84q-4j7r

Release Date: 2022-05-19

Fix Resolution: 6.5.8,7.4.5

Vulnerable Libraries - lodash-4.17.12-pre.js, lodash-4.17.12-pre.min.js

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Vulnerable Library - yaml-1.10.2.tgz

JavaScript parser and stringifier for YAML

Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yaml/package.json

Dependency Hierarchy:

• datatables.net-plugins-1.13.4.tgz (Root Library)
  • prettier-plugin-x-0.0.10.tgz
    • x-formatter-0.0.2.tgz
      • formatter-2021-01-0.0.1-rc01.tgz
        • cosmiconfig-7.0.0.tgz
          • ❌ yaml-1.10.2.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.

Publish Date: 2023-04-24

URL: CVE-2023-2251

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9xv-q969-pqx4

Release Date: 2023-04-24

Fix Resolution: yaml - 2.2.2

Vulnerable Library - guzzlehttp/guzzle-dev-master

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96

Dependency Hierarchy:

• ❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Guzzle, an extensible PHP HTTP client. Authorization and Cookie headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

Publish Date: 2022-06-27

URL: CVE-2022-31091

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091

Release Date: 2022-06-27

Fix Resolution: 6.5.8,7.4.5

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html

Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - guzzlehttp/psr7-dev-master

PSR-7 message implementation that also provides common utility methods

Library home page: https://api.github.com/repos/guzzle/psr7/zipball/13388f00956b1503577598873fffb5ae994b5737

Dependency Hierarchy:

• monolog/monolog-2.x-dev (Root Library)
  • ❌ guzzlehttp/psr7-dev-master (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

Publish Date: 2022-03-21

URL: CVE-2022-24775

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q7rv-6hp3-vh96

Release Date: 2022-03-21

Fix Resolution: 1.8.4,2.1.1

Vulnerable Library - guzzlehttp/guzzle-dev-master

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96

Dependency Hierarchy:

• ❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, https to http downgrades did not result in the Authorization header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.

Publish Date: 2022-06-10

URL: CVE-2022-31043

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-w248-ffj2-4v5q

Release Date: 2022-06-10

Fix Resolution: 6.5.7,7.4.4

Vulnerable Libraries - semver-7.3.5.tgz, semver-5.7.1.tgz, semver-7.5.0.tgz

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (datatables.net-plugins): 1.13.5

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (datatables.net-plugins): 1.13.5

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (datatables.net-plugins): 1.13.5

Vulnerable Library - vue-2.5.16.min.js

Simple, Fast & Composable MVVM for building interactive interfaces

Library home page: https://cdnjs.cloudflare.com/ajax/libs/vue/2.5.16/vue.min.js

Path to dependency file: /public/vuetify-crm-dashboard/dist/index.html

Path to vulnerable library: /public/vuetify-crm-dashboard/dist/index.html

Dependency Hierarchy:

• ❌ vue-2.5.16.min.js (Vulnerable Library)

Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924

Found in base branch: master

Vulnerability Details

Vue.js before 2.5.17 vesion in vue poject have potential xss in ssr when using v-bind.

Publish Date: 2018-08-01

URL: WS-2018-0162

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-08-01

Fix Resolution: vue - 2.5.17

Vulnerable Library - axios-0.19.2.min.js

Promise based HTTP client for the browser and node.js

Library home page: https://cdnjs.cloudflare.com/ajax/libs/axios/0.19.2/axios.min.js

Path to dependency file: /public/vue.html

Path to vulnerable library: /public/vue.html

Dependency Hierarchy:

• ❌ axios-0.19.2.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/

Release Date: 2021-08-31

Fix Resolution: axios - 0.21.2

Vulnerable Library - angular-1.6.1.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.min.js

Path to dependency file: /public/folder-list.html

Path to vulnerable library: /public/folder-list.html

Dependency Hierarchy:

• ❌ angular-1.6.1.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
WhiteSource Note: After conducting further research, WhiteSource has determined that versions 1.4.0-beta.6 before 1.7.9 of angular are vulnerable to CVE-2019-10768.

Publish Date: 2019-11-19

URL: CVE-2019-10768

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: angular/angular.js@726f49d

Release Date: 2019-11-19

Fix Resolution: angularjs - 1.7.8,1.7.8.1

Vulnerable Library - vuetify-2.0.19.min.js

Vue.js 2 Semantic Component Framework

Library home page: https://cdnjs.cloudflare.com/ajax/libs/vuetify/2.0.19/vuetify.min.js

Path to dependency file: /public/vuetify-slide-groups-click-toggle/dist/index.html

Path to vulnerable library: /public/vuetify-slide-groups-click-toggle/dist/index.html

Dependency Hierarchy:

• ❌ vuetify-2.0.19.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.

Publish Date: 2022-09-18

URL: CVE-2022-25873

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25873

Release Date: 2022-09-18

Fix Resolution: org.webjars.npm:vuetify - 3.0.0-alpha.11

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• datatables.net-plugins-1.13.4.tgz (Root Library)
  • prettier-plugin-x-0.0.10.tgz
    • x-formatter-0.0.2.tgz
      • formatter-2021-01-0.0.1-rc01.tgz
        • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (datatables.net-plugins): 1.13.5

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• pdfmake-0.2.7.tgz (Root Library)
  • linebreak-1.1.1.tgz
    • brfs-2.0.2.tgz
      • static-module-3.0.4.tgz
        • escodegen-1.14.3.tgz
          • optionator-0.8.3.tgz
            • ❌ word-wrap-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution (word-wrap): 1.2.4

Direct dependency fix Resolution (pdfmake): 0.2.8

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html

Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Library - axios-1.3.5.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ axios-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution: 1.6.0

Vulnerable Library - follow-redirects-1.15.2.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• axios-1.3.5.tgz (Root Library)
  • ❌ follow-redirects-1.15.2.tgz (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Publish Date: 2024-01-02

URL: CVE-2023-26159

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159

Release Date: 2024-01-02

Fix Resolution (follow-redirects): 1.15.4

Direct dependency fix Resolution (axios): 1.3.6

Vulnerable Library - lodash-4.17.4.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.4/lodash.js

Path to dependency file: /public/vuetify-list-collapse/dist/index.html

Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html

Dependency Hierarchy:

• ❌ lodash-4.17.4.js (Vulnerable Library)

Found in HEAD commit: 15cc9efdaeabeb85fb3c81374617aea9d4a54929

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11