View Code? Open in Web Editor
NEW
🎮ConSolo🕹is a ROM matching and general emulation related goodness. It aims to support information from more sites, software, formats, etc than anything else out there. Its still early in development so the scope or direction isnt very solidified yet.
License: GNU General Public License v3.0
PHP 67.05%
Shell 0.29%
HTML 6.09%
CSS 1.67%
JavaScript 14.35%
SCSS 0.28%
Pug 0.29%
Twig 9.96%
Makefile 0.01%
consolo's Issues
CVE-2022-25844 - High Severity Vulnerability
Vulnerable Library - angular-1.8.0.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js
Path to dependency file: /public/folder-list.html
Path to vulnerable library: /public/folder-list.html
Dependency Hierarchy:
❌ angular-1.8.0.min.js (Vulnerable Library)
Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924
Found in base branch: master
Vulnerability Details
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. Note: 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
Publish Date: 2022-05-01
URL: CVE-2022-25844
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with Mend here
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html
Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with Mend here
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
datatables.net-plugins-1.13.4.tgz (Root Library)
prettier-plugin-x-0.0.10.tgz
x-formatter-0.0.2.tgz
formatter-2021-01-0.0.1-rc01.tgz
❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2023-2251 - High Severity Vulnerability
Vulnerable Library - yaml-1.10.2.tgz
JavaScript parser and stringifier for YAML
Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yaml/package.json
Dependency Hierarchy:
datatables.net-plugins-1.13.4.tgz (Root Library)
prettier-plugin-x-0.0.10.tgz
x-formatter-0.0.2.tgz
formatter-2021-01-0.0.1-rc01.tgz
cosmiconfig-7.0.0.tgz
❌ yaml-1.10.2.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.
Publish Date: 2023-04-24
URL: CVE-2023-2251
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-f9xv-q969-pqx4
Release Date: 2023-04-24
Fix Resolution: yaml - 2.2.2
Step up your Open Source Security Game with Mend here
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.12-pre.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.js
Path to dependency file: /public/vuetify-list-collapse/dist/index.html
Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html
Dependency Hierarchy:
❌ lodash-4.17.12-pre.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
CVE-2022-31091 - High Severity Vulnerability
Vulnerable Library - guzzlehttp/guzzle-dev-master
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96
Dependency Hierarchy:
❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Guzzle, an extensible PHP HTTP client. Authorization
and Cookie
headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization
and Cookie
headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
Publish Date: 2022-06-27
URL: CVE-2022-31091
CVSS 3 Score Details (7.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091
Release Date: 2022-06-27
Fix Resolution: 6.5.8,7.4.5
Step up your Open Source Security Game with Mend here
CVE-2022-31043 - High Severity Vulnerability
Vulnerable Library - guzzlehttp/guzzle-dev-master
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96
Dependency Hierarchy:
❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Guzzle is an open source PHP HTTP client. In affected versions Authorization
headers on requests are sensitive information. On making a request using the https
scheme to a server which responds with a redirect to a URI with the http
scheme, we should not forward the Authorization
header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, https
to http
downgrades did not result in the Authorization
header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.
Publish Date: 2022-06-10
URL: CVE-2022-31043
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-w248-ffj2-4v5q
Release Date: 2022-06-10
Fix Resolution: 6.5.7,7.4.4
Step up your Open Source Security Game with Mend here
CVE-2023-26115 - High Severity Vulnerability
Vulnerable Library - word-wrap-1.2.3.tgz
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
pdfmake-0.2.7.tgz (Root Library)
linebreak-1.1.1.tgz
brfs-2.0.2.tgz
static-module-3.0.4.tgz
escodegen-1.14.3.tgz
optionator-0.8.3.tgz
❌ word-wrap-1.2.3.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution (word-wrap): 1.2.4
Direct dependency fix Resolution (pdfmake): 0.2.8
Step up your Open Source Security Game with Mend here
CVE-2023-26044 - Medium Severity Vulnerability
Vulnerable Library - httpv1.8.0
Event-driven, streaming HTTP client and server implementation for ReactPHP.
Library home page: https://github.com/reactphp/http.git
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerable Source Files (1)
/vendor/react/http/src/Io/MultipartParser.php
Vulnerability Details
react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.
Publish Date: 2023-05-17
URL: CVE-2023-26044
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26044
Release Date: 2023-05-17
Fix Resolution: v1.9.0
Step up your Open Source Security Game with Mend here
WS-2018-0162 - Medium Severity Vulnerability
Vulnerable Library - vue-2.5.16.min.js
Simple, Fast & Composable MVVM for building interactive interfaces
Library home page: https://cdnjs.cloudflare.com/ajax/libs/vue/2.5.16/vue.min.js
Path to dependency file: /public/vuetify-crm-dashboard/dist/index.html
Path to vulnerable library: /public/vuetify-crm-dashboard/dist/index.html
Dependency Hierarchy:
❌ vue-2.5.16.min.js (Vulnerable Library)
Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924
Found in base branch: master
Vulnerability Details
Vue.js before 2.5.17 vesion in vue poject have potential xss in ssr when using v-bind.
Publish Date: 2018-08-01
URL: WS-2018-0162
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2018-08-01
Fix Resolution: vue - 2.5.17
Step up your Open Source Security Game with Mend here
CVE-2021-44906 - Critical Severity Vulnerability
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
datatables.net-plugins-1.13.4.tgz (Root Library)
prettier-plugin-x-0.0.10.tgz
x-formatter-0.0.2.tgz
formatter-2021-01-0.0.1-rc01.tgz
❌ minimist-1.2.5.tgz (Vulnerable Library)
Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (datatables.net-plugins): 1.13.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.4.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.4/lodash.js
Path to dependency file: /public/vuetify-list-collapse/dist/index.html
Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html
Dependency Hierarchy:
❌ lodash-4.17.4.js (Vulnerable Library)
Found in HEAD commit: 15cc9efdaeabeb85fb3c81374617aea9d4a54929
Found in base branch: master
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
Release Date: 2020-09-30
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
CVE-2018-20676 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /public/FieldsLinker/v0.80/index.html
Path to vulnerable library: /public/FieldsLinker/v0.80/index.html
Dependency Hierarchy:
❌ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2023-26117 - Medium Severity Vulnerability
Vulnerable Library - angular-1.8.0.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js
Path to dependency file: /public/folder-list.html
Path to vulnerable library: /public/folder-list.html
Dependency Hierarchy:
❌ angular-1.8.0.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Publish Date: 2023-03-30
URL: CVE-2023-26117
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with Mend here
CVE-2022-37616 - High Severity Vulnerability
Vulnerable Library - xmldom-0.7.5.tgz
A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
Library home page: https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@xmldom/xmldom/package.json
Dependency Hierarchy:
video.js-7.20.3.tgz (Root Library)
mpd-parser-0.21.1.tgz
❌ xmldom-0.7.5.tgz (Vulnerable Library)
Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable.
Publish Date: 2022-10-11
URL: CVE-2022-37616
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37616
Release Date: 2022-10-11
Fix Resolution: @xmldom/xmldom - 0.8.3
Step up your Open Source Security Game with Mend here
CVE-2022-25873 - Medium Severity Vulnerability
Vulnerable Library - vuetify-2.0.19.min.js
Vue.js 2 Semantic Component Framework
Library home page: https://cdnjs.cloudflare.com/ajax/libs/vuetify/2.0.19/vuetify.min.js
Path to dependency file: /public/vuetify-slide-groups-click-toggle/dist/index.html
Path to vulnerable library: /public/vuetify-slide-groups-click-toggle/dist/index.html
Dependency Hierarchy:
❌ vuetify-2.0.19.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.
Publish Date: 2022-09-18
URL: CVE-2022-25873
CVSS 3 Score Details (5.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25873
Release Date: 2022-09-18
Fix Resolution: org.webjars.npm:vuetify - 3.0.0-alpha.11
Step up your Open Source Security Game with Mend here
CVE-2023-44270 - Medium Severity Vulnerability
Vulnerable Library - postcss-8.4.22.tgz
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
datatables.net-plugins-1.13.4.tgz (Root Library)
prettier-plugin-x-0.0.10.tgz
x-formatter-0.0.2.tgz
formatter-2021-01-0.0.1-rc01.tgz
postcss-less-4.0.1.tgz
❌ postcss-8.4.22.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270
Release Date: 2023-09-29
Fix Resolution: postcss - 8.4.31
Step up your Open Source Security Game with Mend here
CVE-2023-45857 - Medium Severity Vulnerability
Vulnerable Library - axios-1.3.5.tgz
Library home page: https://registry.npmjs.org/axios/-/axios-1.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
❌ axios-1.3.5.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution: 1.6.0
Step up your Open Source Security Game with Mend here
CVE-2022-24775 - High Severity Vulnerability
Vulnerable Library - guzzlehttp/psr7-dev-master
PSR-7 message implementation that also provides common utility methods
Library home page: https://api.github.com/repos/guzzle/psr7/zipball/13388f00956b1503577598873fffb5ae994b5737
Dependency Hierarchy:
monolog/monolog-2.x-dev (Root Library)
❌ guzzlehttp/psr7-dev-master (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Publish Date: 2022-03-21
URL: CVE-2022-24775
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-q7rv-6hp3-vh96
Release Date: 2022-03-21
Fix Resolution: 1.8.4,2.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-26118 - Medium Severity Vulnerability
Vulnerable Library - angular-1.8.0.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js
Path to dependency file: /public/folder-list.html
Path to vulnerable library: /public/folder-list.html
Dependency Hierarchy:
❌ angular-1.8.0.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Publish Date: 2023-03-30
URL: CVE-2023-26118
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with Mend here
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.12-pre.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.js
Path to dependency file: /public/vuetify-list-collapse/dist/index.html
Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html
Dependency Hierarchy:
❌ lodash-4.17.12-pre.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Libraries - lodash-4.17.12-pre.js , lodash-4.17.12-pre.min.js
lodash-4.17.12-pre.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.js
Path to dependency file: /public/vuetify-list-collapse/dist/index.html
Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html
Dependency Hierarchy:
❌ lodash-4.17.12-pre.js (Vulnerable Library)
lodash-4.17.12-pre.min.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.min.js
Path to dependency file: /public/tree-menu-vue-component-vuetify-treeview/src/index.html
Path to vulnerable library: /public/tree-menu-vue-component-vuetify-treeview/src/index.html
Dependency Hierarchy:
❌ lodash-4.17.12-pre.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
CVE-2023-26159 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.15.2.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
axios-1.3.5.tgz (Root Library)
❌ follow-redirects-1.15.2.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (axios): 1.3.6
Step up your Open Source Security Game with Mend here
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Library - jquery-2.2.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js
Path to dependency file: /public/FieldsLinker/v0.80/index.html
Path to vulnerable library: /public/FieldsLinker/v0.80/index.html
Dependency Hierarchy:
❌ jquery-2.2.4.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2019-10744 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.12-pre.js , lodash-4.17.12-pre.min.js
lodash-4.17.12-pre.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.js
Path to dependency file: /public/vuetify-list-collapse/dist/index.html
Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html
Dependency Hierarchy:
❌ lodash-4.17.12-pre.js (Vulnerable Library)
lodash-4.17.12-pre.min.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.min.js
Path to dependency file: /public/tree-menu-vue-component-vuetify-treeview/src/index.html
Path to vulnerable library: /public/tree-menu-vue-component-vuetify-treeview/src/index.html
Dependency Hierarchy:
❌ lodash-4.17.12-pre.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2023-26116 - Medium Severity Vulnerability
Vulnerable Library - angular-1.8.0.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js
Path to dependency file: /public/folder-list.html
Path to vulnerable library: /public/folder-list.html
Dependency Hierarchy:
❌ angular-1.8.0.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Publish Date: 2023-03-30
URL: CVE-2023-26116
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with Mend here
CVE-2022-25883 - High Severity Vulnerability
Vulnerable Libraries - semver-7.3.5.tgz , semver-5.7.1.tgz , semver-7.5.0.tgz
semver-7.3.5.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
datatables.net-plugins-1.13.4.tgz (Root Library)
prettier-plugin-x-0.0.10.tgz
x-formatter-0.0.2.tgz
formatter-2021-01-0.0.1-rc01.tgz
❌ semver-7.3.5.tgz (Vulnerable Library)
semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
datatables.net-plugins-1.13.4.tgz (Root Library)
prettier-plugin-x-0.0.10.tgz
x-formatter-0.0.2.tgz
formatter-2021-01-0.0.1-rc01.tgz
editorconfig-0.15.3.tgz
❌ semver-5.7.1.tgz (Vulnerable Library)
semver-7.5.0.tgz
Library home page: https://registry.npmjs.org/semver/-/semver-7.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
datatables.net-plugins-1.13.4.tgz (Root Library)
prettier-plugin-x-0.0.10.tgz
x-formatter-0.0.2.tgz
formatter-2021-01-0.0.1-rc01.tgz
typescript-estree-2.34.0.tgz
❌ semver-7.5.0.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (datatables.net-plugins): 1.13.5
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (datatables.net-plugins): 1.13.5
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (datatables.net-plugins): 1.13.5
Step up your Open Source Security Game with Mend here
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /public/FieldsLinker/v0.80/index.html
Path to vulnerable library: /public/FieldsLinker/v0.80/index.html
Dependency Hierarchy:
❌ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-23614 - High Severity Vulnerability
Vulnerable Library - twig/twig-2.x-dev
Twig, the flexible, fast, and secure template language for PHP
Library home page: https://api.github.com/repos/twigphp/Twig/zipball/c953a77b23d10c47d2b7e5ad0d062e690bd647c9
Dependency Hierarchy:
❌ twig/twig-2.x-dev (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Twig is an open source template language for PHP. When in a sandbox mode, the arrow
parameter of the sort
filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the sort
filter as is the case for some other filters. Users are advised to upgrade.
Publish Date: 2022-02-04
URL: CVE-2022-23614
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-23614
Release Date: 2022-02-04
Fix Resolution: v2.14.11,v3.3.8
Step up your Open Source Security Game with Mend here
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html
Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with Mend here
CVE-2024-27088 - Low Severity Vulnerability
Vulnerable Library - es5-ext-0.10.62.tgz
ECMAScript extensions and shims
Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.62.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
pdfmake-0.2.7.tgz (Root Library)
linebreak-1.1.1.tgz
brfs-2.0.2.tgz
static-module-3.0.4.tgz
scope-analyzer-2.1.2.tgz
es6-map-0.1.5.tgz
❌ es5-ext-0.10.62.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy
or function#toStringTokens
may cause the script to stall. The vulnerability is patched in v0.10.63.
Publish Date: 2024-02-26
URL: CVE-2024-27088
CVSS 3 Score Details (0.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088
Release Date: 2024-02-26
Fix Resolution (es5-ext): 0.10.63
Direct dependency fix Resolution (pdfmake): 0.2.8
Step up your Open Source Security Game with Mend here
CVE-2020-7676 - Medium Severity Vulnerability
Vulnerable Library - angular-1.6.1.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.min.js
Path to dependency file: /public/folder-list.html
Path to vulnerable library: /public/folder-list.html
Dependency Hierarchy:
❌ angular-1.6.1.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code.
Publish Date: 2020-06-08
URL: CVE-2020-7676
CVSS 3 Score Details (5.4)
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676
Release Date: 2020-10-09
Fix Resolution: 1.8.0
Step up your Open Source Security Game with WhiteSource here
CVE-2022-46161 - High Severity Vulnerability
Vulnerable Library - pdfmake-0.2.6.tgz
Client/server side PDF printing in pure JavaScript
Library home page: https://registry.npmjs.org/pdfmake/-/pdfmake-0.2.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pdfmake/package.json
Dependency Hierarchy:
❌ pdfmake-0.2.6.tgz (Vulnerable Library)
Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924
Found in base branch: master
Vulnerability Details
pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.
Publish Date: 2022-12-06
URL: CVE-2022-46161
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with Mend here
CVE-2022-25869 - Medium Severity Vulnerability
Vulnerable Library - angular-1.8.0.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.min.js
Path to dependency file: /public/folder-list.html
Path to vulnerable library: /public/folder-list.html
Dependency Hierarchy:
❌ angular-1.8.0.min.js (Vulnerable Library)
Found in HEAD commit: 22491a04178b05133dce8e009cf7ec762fa9e924
Found in base branch: master
Vulnerability Details
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.
Publish Date: 2022-07-15
URL: CVE-2022-25869
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with Mend here
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.2.min.js
Promise based HTTP client for the browser and node.js
Library home page: https://cdnjs.cloudflare.com/ajax/libs/axios/0.19.2/axios.min.js
Path to dependency file: /public/vue.html
Path to vulnerable library: /public/vue.html
Dependency Hierarchy:
❌ axios-0.19.2.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution: axios - 0.21.1
Step up your Open Source Security Game with Mend here
CVE-2016-10735 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /public/FieldsLinker/v0.80/index.html
Path to vulnerable library: /public/FieldsLinker/v0.80/index.html
Dependency Hierarchy:
❌ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041 .
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
Step up your Open Source Security Game with Mend here
CVE-2018-20677 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /public/FieldsLinker/v0.80/index.html
Path to vulnerable library: /public/FieldsLinker/v0.80/index.html
Dependency Hierarchy:
❌ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-29248 - High Severity Vulnerability
Vulnerable Library - guzzlehttp/guzzle-dev-master
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96
Dependency Hierarchy:
❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
Publish Date: 2022-05-25
URL: CVE-2022-29248
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248
Release Date: 2022-05-25
Fix Resolution: guzzlehttp/guzzle - 6.5.6,guzzlehttp/guzzle - 7.4.3
Step up your Open Source Security Game with Mend here
CVE-2023-46233 - Critical Severity Vulnerability
Vulnerable Library - crypto-js-4.1.1.tgz
JavaScript library of crypto standards.
Library home page: https://registry.npmjs.org/crypto-js/-/crypto-js-4.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
pdfmake-0.2.7.tgz (Root Library)
pdfkit-0.13.0.tgz
❌ crypto-js-4.1.1.tgz (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.
Publish Date: 2023-10-25
URL: CVE-2023-46233
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-46233
Release Date: 2023-10-25
Fix Resolution: crypto-js - 4.2.0
Step up your Open Source Security Game with Mend here
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Library - axios-0.19.2.min.js
Promise based HTTP client for the browser and node.js
Library home page: https://cdnjs.cloudflare.com/ajax/libs/axios/0.19.2/axios.min.js
Path to dependency file: /public/vue.html
Path to vulnerable library: /public/vue.html
Dependency Hierarchy:
❌ axios-0.19.2.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution: axios - 0.21.2
Step up your Open Source Security Game with Mend here
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /public/FieldsLinker/v0.80/index.html
Path to vulnerable library: /public/FieldsLinker/v0.80/index.html
Dependency Hierarchy:
❌ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
CVE-2018-3721 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.4.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.4/lodash.js
Path to dependency file: /public/vuetify-list-collapse/dist/index.html
Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html
Dependency Hierarchy:
❌ lodash-4.17.4.js (Vulnerable Library)
Found in HEAD commit: 15cc9efdaeabeb85fb3c81374617aea9d4a54929
Found in base branch: master
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto , causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution: 4.17.5
Step up your Open Source Security Game with WhiteSource here
CVE-2019-10768 - High Severity Vulnerability
Vulnerable Library - angular-1.6.1.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.min.js
Path to dependency file: /public/folder-list.html
Path to vulnerable library: /public/folder-list.html
Dependency Hierarchy:
❌ angular-1.6.1.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In AngularJS before 1.7.9 the function merge()
could be tricked into adding or modifying properties of Object.prototype
using a __proto__
payload.
WhiteSource Note: After conducting further research, WhiteSource has determined that versions 1.4.0-beta.6 before 1.7.9 of angular are vulnerable to CVE-2019-10768 .
Publish Date: 2019-11-19
URL: CVE-2019-10768
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: angular/angular.js@726f49d
Release Date: 2019-11-19
Fix Resolution: angularjs - 1.7.8,1.7.8.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html
Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-31090 - Medium Severity Vulnerability
Vulnerable Library - guzzlehttp/guzzle-dev-master
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96
Dependency Hierarchy:
❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Guzzle, an extensible PHP HTTP client. Authorization
headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the CURLOPT_HTTPAUTH
option to specify an Authorization
header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the CURLOPT_HTTPAUTH
option before continuing, stopping curl from appending the Authorization
header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
Publish Date: 2022-06-27
URL: CVE-2022-31090
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-25mq-v84q-4j7r
Release Date: 2022-05-19
Fix Resolution: 6.5.8,7.4.5
Step up your Open Source Security Game with Mend here
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html
Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /vendor/masterminds/html5/test/benchmark/example.html
Path to vulnerable library: /vendor/masterminds/html5/test/benchmark/example.html
Dependency Hierarchy:
❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /public/FieldsLinker/v0.80/index.html
Path to vulnerable library: /public/FieldsLinker/v0.80/index.html
Dependency Hierarchy:
❌ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
CVE-2018-16487 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.4.js
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.4/lodash.js
Path to dependency file: /public/vuetify-list-collapse/dist/index.html
Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html
Dependency Hierarchy:
❌ lodash-4.17.4.js (Vulnerable Library)
Found in HEAD commit: 15cc9efdaeabeb85fb3c81374617aea9d4a54929
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
CVE-2022-31042 - High Severity Vulnerability
Vulnerable Library - guzzlehttp/guzzle-dev-master
Guzzle is a PHP HTTP client library
Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ca5c743d20730d1a129a9ee04cbe854df7304b96
Dependency Hierarchy:
❌ guzzlehttp/guzzle-dev-master (Vulnerable Library)
Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91
Found in base branch: master
Vulnerability Details
Guzzle is an open source PHP HTTP client. In affected versions the Cookie
headers on requests are sensitive information. On making a request using the https
scheme to a server which responds with a redirect to a URI with the http
scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie
header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any Cookie
header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
Publish Date: 2022-06-10
URL: CVE-2022-31042
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-f2wf-25xc-69c9
Release Date: 2022-06-10
Fix Resolution: 6.5.7,7.4.4
Step up your Open Source Security Game with Mend here