Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (lint-staged): 8.0.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (lint-staged): 8.0.0

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: EcommEasy/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: d7e1beaffcf754d014368f5d34e44436f98900a6

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-12-01

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /tmp/git/EcommEasy/node_modules/fstream/package.json

Dependency Hierarchy:

• node-sass-4.11.0.tgz (Root Library)
  • node-gyp-3.8.0.tgz
    • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.

Publish Date: 2019-05-23

URL: WS-2019-0100

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/886

Release Date: 2019-05-23

Fix Resolution: 1.0.12

Vulnerable Library - bson-1.1.1.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-1.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/bson/package.json

Dependency Hierarchy:

• mongodb-3.2.2.tgz (Root Library)
  • mongodb-core-3.2.2.tgz
    • ❌ bson-1.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Publish Date: 2020-03-30

URL: CVE-2020-7610

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-01

Fix Resolution (bson): 1.1.4

Direct dependency fix Resolution (mongodb): 3.2.3

Vulnerable Library - eslint-utils-1.3.1.tgz

Utilities for ESLint plugins.

Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/eslint-utils/package.json

Dependency Hierarchy:

• eslint-5.15.3.tgz (Root Library)
  • ❌ eslint-utils-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: eacf794cd53269c07cbef35c8151a139127a917e

Found in base branch: master

Vulnerability Details

In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

Publish Date: 2019-08-26

URL: CVE-2019-15657

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657

Release Date: 2020-08-24

Fix Resolution (eslint-utils): 1.4.1

Direct dependency fix Resolution (eslint): 5.16.0

Vulnerable Libraries - lodash.template-4.4.0.tgz, lodash.mergewith-4.6.1.tgz, lodash-4.17.11.tgz

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (workbox-webpack-plugin): 4.0.0

Fix Resolution (lodash.mergewith): 4.5.0

Direct dependency fix Resolution (node-sass): 4.12.0

Vulnerable Library - acorn-6.1.1.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/acorn/package.json

Dependency Hierarchy:

• webpack-4.29.6.tgz (Root Library)
  • ❌ acorn-6.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6chw-6frg-f759

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (webpack): 4.30.0

Vulnerable Library - jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/EcommEasy/node_modules/js-base64/test/index.html

Path to vulnerable library: /EcommEasy/node_modules/js-base64/test/index.html

Dependency Hierarchy:

• ❌ jquery-2.1.4.min.js (Vulnerable Library)

Found in HEAD commit: 3c0d897272148efa0443f36085393d6aa403f4b1

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: jquery/jquery@753d591

Release Date: 2019-03-25

Fix Resolution: Replace or update the following files: core.js, core.js

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11696

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 4.14.0

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: EcommEasy/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution: handlebars - 3.0.8,4.5.2

Vulnerable Library - serialize-javascript-1.6.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.6.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• webpack-4.29.6.tgz (Root Library)
  • terser-webpack-plugin-1.2.3.tgz
    • ❌ serialize-javascript-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution (serialize-javascript): 2.1.1

Direct dependency fix Resolution (webpack): 4.30.0

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

• node-sass-4.11.0.tgz (Root Library)
  • node-gyp-3.8.0.tgz
    • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (node-sass): 4.12.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/findup-sync/node_modules/kind-of/package.json

Dependency Hierarchy:

• webpack-4.29.6.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (webpack): 4.30.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution: 4.14.0

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/EcommEasy/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /EcommEasy/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 3c0d897272148efa0443f36085393d6aa403f4b1

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Libraries - jquery-2.1.4.min.js, jquery-1.7.1.min.js

Found in HEAD commit: 3c0d897272148efa0443f36085393d6aa403f4b1

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Libraries - jquery-2.1.4.min.js, jquery-1.7.1.min.js

Found in HEAD commit: 3c0d897272148efa0443f36085393d6aa403f4b1

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w457-6q6x-cgp9

Release Date: 2019-12-20

Fix Resolution: 4.3.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-26

Fix Resolution: 4.14.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: 4.14.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-23

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 4.14.0

Vulnerable Library - node-sassv4.12.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Found in base branch: master

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/inspect.cpp

Vulnerability Details

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

Publish Date: 2018-12-03

URL: CVE-2018-19826

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6

Vulnerable Library - serialize-javascript-1.6.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.6.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• webpack-4.29.6.tgz (Root Library)
  • terser-webpack-plugin-1.2.3.tgz
    • ❌ serialize-javascript-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (webpack): 4.30.0

Vulnerable Library - js-yaml-3.13.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.0.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

• eslint-5.15.3.tgz (Root Library)
  • ❌ js-yaml-3.13.0.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (eslint): 5.16.0

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/mixin-deep/package.json

Dependency Hierarchy:

• lint-staged-7.3.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (lint-staged): 8.0.0

Vulnerable Library - helmet-csp-2.7.1.tgz

Content Security Policy middleware.

Library home page: https://registry.npmjs.org/helmet-csp/-/helmet-csp-2.7.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/helmet-csp/package.json

Dependency Hierarchy:

• helmet-3.16.0.tgz (Root Library)
  • ❌ helmet-csp-2.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

Helmet-csp before 2.9.1 is vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.

Publish Date: 2019-11-18

URL: WS-2019-0289

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1176

Release Date: 2019-11-18

Fix Resolution (helmet-csp): 2.9.1

Direct dependency fix Resolution (helmet): 3.21.0

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /tmp/git/EcommEasy/node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

• node-sass-4.11.0.tgz (Root Library)
  • node-gyp-3.8.0.tgz
    • ❌ tar-2.2.1.tgz (Vulnerable Library)

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - node-sassv4.12.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (125)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /EcommEasy/node_modules/node-sass/src/libsass/src/expand.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/utf8/unchecked.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/output.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/util.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/emitter.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/lexer.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/test/test_node.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/plugins.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/include/sass/base.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/position.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/operation.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /EcommEasy/node_modules/node-sass/src/custom_importer_bridge.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/functions.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/eval.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /EcommEasy/node_modules/node-sass/src/sass_context_wrapper.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/node.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/parser.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/subset_map.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/emitter.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/listize.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/ast.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_functions.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/memory/SharedPtr.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/output.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/check_nesting.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/functions.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/cssize.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/paths.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/inspect.hpp
• /EcommEasy/node_modules/node-sass/src/sass_types/color.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/values.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/source_map.hpp
• /EcommEasy/node_modules/node-sass/src/sass_types/list.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/check_nesting.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/json.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/units.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/units.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/context.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/utf8/checked.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/listize.hpp
• /EcommEasy/node_modules/node-sass/src/sass_types/string.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/context.hpp
• /EcommEasy/node_modules/node-sass/src/sass_types/boolean.h
• /EcommEasy/node_modules/node-sass/src/libsass/include/sass2scss.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/eval.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/expand.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/factory.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/operators.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/boolean.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/source_map.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/value.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /EcommEasy/node_modules/node-sass/src/callback_bridge.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/file.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/node.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/environment.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/extend.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/operators.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/constants.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/ast_fwd_decl.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/parser.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/constants.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/list.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/cssize.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/include/sass/functions.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/util.cpp
• /EcommEasy/node_modules/node-sass/src/custom_function_bridge.cpp
• /EcommEasy/node_modules/node-sass/src/custom_importer_bridge.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/bind.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/inspect.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/backtrace.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/extend.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/debugger.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/cencode.c
• /EcommEasy/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/number.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/color.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/c99func.c
• /EcommEasy/node_modules/node-sass/src/libsass/src/position.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/include/sass/values.h
• /EcommEasy/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /EcommEasy/node_modules/node-sass/src/sass_types/null.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/ast.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/include/sass/context.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/to_c.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/to_value.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /EcommEasy/node_modules/node-sass/src/sass_context_wrapper.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/script/test-leaks.pl
• /EcommEasy/node_modules/node-sass/src/libsass/src/lexer.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/memory/SharedPtr.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/to_c.hpp
• /EcommEasy/node_modules/node-sass/src/sass_types/map.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/to_value.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/b64/encode.h
• /EcommEasy/node_modules/node-sass/src/libsass/src/file.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/environment.hpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/plugins.hpp
• /EcommEasy/node_modules/node-sass/src/binding.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /EcommEasy/node_modules/node-sass/src/libsass/src/debug.hpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: EcommEasy/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: d7e1beaffcf754d014368f5d34e44436f98900a6

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /tmp/git/EcommEasy/node_modules/braces/package.json

Dependency Hierarchy:

• babel-cli-6.26.0.tgz (Root Library)
  • chokidar-1.7.0.tgz
    • anymatch-1.3.2.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution: 4.1.2-0

Vulnerable Library - node-sassv4.12.0

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/sass_context.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: node-sass - 3.6.0

Vulnerable Library - lodash.mergewith-4.6.1.tgz

The Lodash method `_.mergeWith` exported as a module.

Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/lodash.mergewith/package.json

Dependency Hierarchy:

• node-sass-4.11.0.tgz (Root Library)
  • ❌ lodash.mergewith-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

lodash.mergewith before 4.6.2 is vulnerable to prototype pollution. The function mergeWith() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0180

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1071

Release Date: 2019-08-14

Fix Resolution (lodash.mergewith): 4.6.2

Direct dependency fix Resolution (node-sass): 4.12.0

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: EcommEasy/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution: handlebars - 3.0.8,4.5.3

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-14

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: EcommEasy/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: d7e1beaffcf754d014368f5d34e44436f98900a6

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /tmp/ws-scm/EcommEasy/package.json

Path to vulnerable library: /EcommEasy/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: a0d5f99e18f7b5ec46e8749ab361695f5f2353e9

Vulnerability Details

handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-10-06

URL: WS-2019-0291

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-10-06

Fix Resolution: 4.3.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-17

Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: EcommEasy/node_modules/node-sass/package.json

Dependency Hierarchy:

• ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Vulnerability Details

An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: sass/libsass#2664

Release Date: 2018-06-04

Fix Resolution: Libsass:3.5.3, Node-sass:4.9.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-6284

Release Date: 2019-01-14

Fix Resolution: 5.0.0

Vulnerable Library - handlebars-4.1.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.1.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: EcommEasy/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: d7e1beaffcf754d014368f5d34e44436f98900a6

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /EcommEasy/package.json

Path to vulnerable library: /node_modules/fstream/package.json

Dependency Hierarchy:

• node-sass-4.11.0.tgz (Root Library)
  • node-gyp-3.8.0.tgz
    • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution (fstream): 1.0.12

Direct dependency fix Resolution (node-sass): 4.12.0

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-04-23

Fix Resolution: 4.13.1

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sassv4.12.0

Found in HEAD commit: 363b3c5c1efcb2a7265f2d259bed12d00efb92c4

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-23

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105