Giter Site home page Giter Site logo

kalskiman / gentelella Goto Github PK

View Code? Open in Web Editor NEW

This project forked from colorlibhq/gentelella

0.0 0.0 0.0 36.48 MB

Free Bootstrap 4 Admin Dashboard Template

Home Page: https://colorlib.com/polygon/gentelella/index.html

License: MIT License

HTML 63.72% CSS 17.42% JavaScript 18.86%

gentelella's People

Contributors

abdullahalimam avatar afourmy avatar amutisya avatar andreicn avatar britneywright avatar brunowego avatar chiu0602 avatar christianesperar avatar cmbirk avatar cquanu avatar cristianraiber avatar danatkinson avatar ernaniaz avatar ezequias avatar gauravmak avatar girib avatar krzysiekpiasecki avatar laggingreflex avatar mortezakarimi avatar mostafahussein avatar nicksonyap avatar ousamabenyounes avatar puikinsh avatar raxraj avatar selimgnaoui avatar simonhausdorf avatar sunnykushwahasublimedatasys avatar thomaslwq avatar weitjong avatar william-h-m avatar

Watchers

avatar

gentelella's Issues

CVE-2018-14040 (Medium) detected in multiple libraries

CVE-2018-14040 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.3.5.min.js, bootstrap.3.3.0.nupkg, bootstrap-3.3.6.min.js, bootstrap-3.3.1.min.js, bootstrap-4.1.0.min.js

bootstrap-3.3.5.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • bootstrap-3.3.5.min.js (Vulnerable Library)
bootstrap.3.3.0.nupkg

Sleek, intuitive, and powerful mobile first front-end framework for faster and easier web developmen...

Library home page: https://api.nuget.org/packages/bootstrap.3.3.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Dependency Hierarchy:

  • bootstrap.3.3.0.nupkg (Vulnerable Library)
bootstrap-3.3.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.6.min.js (Vulnerable Library)
bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • bootstrap-3.3.1.min.js (Vulnerable Library)
bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-daterangepicker/website/index.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/website/index.html

Dependency Hierarchy:

  • bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

CVE-2014-10064 (High) detected in multiple libraries

CVE-2014-10064 - High Severity Vulnerability

Vulnerable Libraries - qs-0.5.6.tgz, qs-0.6.5.tgz, qs-0.1.0.tgz, qs-0.6.6.tgz

qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /vendors/switchery/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • tiny-lr-0.0.4.tgz
      • qs-0.5.6.tgz (Vulnerable Library)
qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /vendors/transitionize/package.json

Path to vulnerable library: /vendors/transitionize/node_modules/qs/package.json,/vendors/transitionize/node_modules/qs/package.json

Dependency Hierarchy:

  • component-1.1.0.tgz (Root Library)
    • superagent-0.17.0.tgz
      • qs-0.6.5.tgz (Vulnerable Library)
qs-0.1.0.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.1.0.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/select2/node_modules/q-io/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-gh-pages-0.9.1.tgz (Root Library)
    • q-io-1.6.5.tgz
      • qs-0.1.0.tgz (Vulnerable Library)
qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/DateJS/node_modules/connect/node_modules/qs/package.json,/vendors/DateJS/node_modules/connect/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-contrib-connect-0.7.1.tgz (Root Library)
    • connect-2.13.1.tgz
      • qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064

Release Date: 2018-05-31

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-gh-pages): 3.1.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-connect): 0.9.0

Step up your Open Source Security Game with Mend here

WS-2019-0063 (High) detected in multiple libraries

WS-2019-0063 - High Severity Vulnerability

Vulnerable Libraries - js-yaml-3.7.0.tgz, js-yaml-2.0.5.tgz, js-yaml-3.6.1.tgz, js-yaml-2.1.3.tgz, js-yaml-3.4.6.tgz, js-yaml-3.12.1.tgz

js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /vendors/animate.css/package.json

Path to vulnerable library: /vendors/animate.css/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • gulp-cssnano-2.1.3.tgz (Root Library)
    • cssnano-3.10.0.tgz
      • postcss-svgo-2.1.6.tgz
        • svgo-0.7.2.tgz
          • js-yaml-3.7.0.tgz (Vulnerable Library)
js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: /vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-0.4.5.tgz (Root Library)
    • js-yaml-2.0.5.tgz (Vulnerable Library)
js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/coveralls/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • coveralls-2.13.3.tgz (Root Library)
    • js-yaml-3.6.1.tgz (Vulnerable Library)
js-yaml-2.1.3.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.1.3.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/assemble-yaml/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • assemble-yaml-0.2.1.tgz
      • js-yaml-2.1.3.tgz (Vulnerable Library)
js-yaml-3.4.6.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.4.6.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/jscs/node_modules/js-yaml/package.json,/vendors/bootstrap-datetimepicker/node_modules/jscs/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • gulp-jscs-3.0.2.tgz (Root Library)
    • jscs-2.11.0.tgz
      • js-yaml-3.4.6.tgz (Vulnerable Library)
js-yaml-3.12.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • coveralls-3.0.2.tgz (Root Library)
    • js-yaml-3.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (grunt): 1.0.4

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (coveralls): 3.0.0

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (coveralls): 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2014-7191 (Medium) detected in multiple libraries

CVE-2014-7191 - Medium Severity Vulnerability

Vulnerable Libraries - qs-0.5.6.tgz, qs-0.6.5.tgz, qs-0.1.0.tgz, qs-0.6.6.tgz

qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /vendors/switchery/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • tiny-lr-0.0.4.tgz
      • qs-0.5.6.tgz (Vulnerable Library)
qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /vendors/transitionize/package.json

Path to vulnerable library: /vendors/transitionize/node_modules/qs/package.json,/vendors/transitionize/node_modules/qs/package.json

Dependency Hierarchy:

  • component-1.1.0.tgz (Root Library)
    • superagent-0.17.0.tgz
      • qs-0.6.5.tgz (Vulnerable Library)
qs-0.1.0.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.1.0.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/select2/node_modules/q-io/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-gh-pages-0.9.1.tgz (Root Library)
    • q-io-1.6.5.tgz
      • qs-0.1.0.tgz (Vulnerable Library)
qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/DateJS/node_modules/connect/node_modules/qs/package.json,/vendors/DateJS/node_modules/connect/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-contrib-connect-0.7.1.tgz (Root Library)
    • connect-2.13.1.tgz
      • qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-gh-pages): 3.1.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-connect): 0.9.0

Step up your Open Source Security Game with Mend here

CVE-2015-8855 (High) detected in multiple libraries

CVE-2015-8855 - High Severity Vulnerability

Vulnerable Libraries - semver-2.3.2.tgz, semver-3.0.1.tgz, semver-4.1.0.tgz, semver-1.0.14.tgz, semver-2.1.0.tgz, semver-2.2.1.tgz

semver-2.3.2.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-2.3.2.tgz

Path to dependency file: /vendors/switchery/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/update-notifier/node_modules/semver/package.json,/vendors/morris.js/node_modules/update-notifier/node_modules/semver/package.json,/vendors/morris.js/node_modules/update-notifier/node_modules/semver/package.json,/vendors/morris.js/node_modules/update-notifier/node_modules/semver/package.json,/vendors/morris.js/node_modules/update-notifier/node_modules/semver/package.json

Dependency Hierarchy:

  • gulp-3.5.6.tgz (Root Library)
    • semver-2.3.2.tgz (Vulnerable Library)
semver-3.0.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-3.0.1.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/semver/package.json

Dependency Hierarchy:

  • semver-3.0.1.tgz (Vulnerable Library)
semver-4.1.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-4.1.0.tgz

Path to dependency file: /vendors/switchery/package.json

Path to vulnerable library: /vendors/switchery/node_modules/spacejam/node_modules/semver/package.json

Dependency Hierarchy:

  • spacejam-1.6.1.tgz (Root Library)
    • semver-4.1.0.tgz (Vulnerable Library)
semver-1.0.14.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-1.0.14.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/grunt-lib-phantomjs/node_modules/semver/package.json,/vendors/jqvmap/node_modules/grunt-lib-phantomjs/node_modules/semver/package.json,/vendors/jqvmap/node_modules/grunt-lib-phantomjs/node_modules/semver/package.json

Dependency Hierarchy:

  • grunt-contrib-jasmine-0.8.2.tgz (Root Library)
    • grunt-lib-phantomjs-0.6.0.tgz
      • semver-1.0.14.tgz (Vulnerable Library)
semver-2.1.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-2.1.0.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/semver/package.json

Dependency Hierarchy:

  • bower-1.2.8.tgz (Root Library)
    • semver-2.1.0.tgz (Vulnerable Library)
semver-2.2.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-2.2.1.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/gulp/node_modules/semver/package.json

Dependency Hierarchy:

  • grunt-gulp-0.1.0.tgz (Root Library)
    • gulp-3.2.5.tgz
      • semver-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8855

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8855

Release Date: 2017-01-23

Fix Resolution (semver): 4.3.2

Direct dependency fix Resolution (gulp): 3.8.10

Fix Resolution (semver): 4.3.2

Direct dependency fix Resolution (grunt-contrib-jasmine): 0.9.0

Fix Resolution (semver): 4.3.2

Direct dependency fix Resolution (bower): 1.5.0

Fix Resolution (semver): 4.3.2

Direct dependency fix Resolution (grunt-gulp): 1.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-19838 (Medium) detected in multiple libraries

CVE-2018-19838 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, opennmsopennms-source-22.0.1-1, libsass3.3.6

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-20676 (Medium) detected in multiple libraries

CVE-2018-20676 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.3.5.min.js, bootstrap.3.3.0.nupkg, bootstrap-3.3.6.min.js, bootstrap-3.3.1.min.js

bootstrap-3.3.5.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • bootstrap-3.3.5.min.js (Vulnerable Library)
bootstrap.3.3.0.nupkg

Sleek, intuitive, and powerful mobile first front-end framework for faster and easier web developmen...

Library home page: https://api.nuget.org/packages/bootstrap.3.3.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Dependency Hierarchy:

  • bootstrap.3.3.0.nupkg (Vulnerable Library)
bootstrap-3.3.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.6.min.js (Vulnerable Library)
bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • bootstrap-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with Mend here

WS-2014-0005 (High) detected in multiple libraries

WS-2014-0005 - High Severity Vulnerability

Vulnerable Libraries - qs-0.5.6.tgz, qs-0.6.5.tgz, qs-0.1.0.tgz, qs-0.6.6.tgz

qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /vendors/switchery/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • tiny-lr-0.0.4.tgz
      • qs-0.5.6.tgz (Vulnerable Library)
qs-0.6.5.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz

Path to dependency file: /vendors/transitionize/package.json

Path to vulnerable library: /vendors/transitionize/node_modules/qs/package.json,/vendors/transitionize/node_modules/qs/package.json

Dependency Hierarchy:

  • component-1.1.0.tgz (Root Library)
    • superagent-0.17.0.tgz
      • qs-0.6.5.tgz (Vulnerable Library)
qs-0.1.0.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.1.0.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/select2/node_modules/q-io/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-gh-pages-0.9.1.tgz (Root Library)
    • q-io-1.6.5.tgz
      • qs-0.1.0.tgz (Vulnerable Library)
qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/DateJS/node_modules/connect/node_modules/qs/package.json,/vendors/DateJS/node_modules/connect/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-contrib-connect-0.7.1.tgz (Root Library)
    • connect-2.13.1.tgz
      • qs-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-07-31

URL: WS-2014-0005

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005

Release Date: 2014-07-31

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-gh-pages): 3.1.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-connect): 0.9.0

Step up your Open Source Security Game with Mend here

CVE-2017-15010 (High) detected in tough-cookie-2.2.2.tgz, tough-cookie-0.12.1.tgz

CVE-2017-15010 - High Severity Vulnerability

Vulnerable Libraries - tough-cookie-2.2.2.tgz, tough-cookie-0.12.1.tgz

tough-cookie-2.2.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • grunt-mocha-0.4.15.tgz (Root Library)
    • grunt-lib-phantomjs-0.7.1.tgz
      • phantomjs-1.9.20.tgz
        • request-2.67.0.tgz
          • tough-cookie-2.2.2.tgz (Vulnerable Library)
tough-cookie-0.12.1.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-0.12.1.tgz

Path to dependency file: /vendors/flot/flot-2.1.3/package/package.json

Path to vulnerable library: /vendors/flot/flot-2.1.3/package/node_modules/insight/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • karma-jasmine-jquery-0.1.1.tgz (Root Library)
    • bower-installer-0.8.4.tgz
      • bower-1.3.12.tgz
        • insight-0.4.3.tgz
          • tough-cookie-0.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010

Release Date: 2017-10-04

Fix Resolution (tough-cookie): 2.3.3

Direct dependency fix Resolution (grunt-mocha): 1.0.2

Step up your Open Source Security Game with Mend here

WS-2016-0036 (High) detected in cli-0.4.3.tgz, cli-0.6.6.tgz

WS-2016-0036 - High Severity Vulnerability

Vulnerable Libraries - cli-0.4.3.tgz, cli-0.6.6.tgz

cli-0.4.3.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.4.3.tgz

Path to dependency file: /vendors/Flot/package.json

Path to vulnerable library: /vendors/Flot/node_modules/cli/package.json

Dependency Hierarchy:

  • jshint-0.9.1.tgz (Root Library)
    • cli-0.4.3.tgz (Vulnerable Library)
cli-0.6.6.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Path to dependency file: /vendors/jszip/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/cli/package.json,/vendors/bootstrap-wysiwyg/node_modules/cli/package.json,/vendors/bootstrap-wysiwyg/node_modules/cli/package.json,/vendors/bootstrap-wysiwyg/node_modules/cli/package.json

Dependency Hierarchy:

  • jshint-2.8.0.tgz (Root Library)
    • cli-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2016-08-16

URL: WS-2016-0036

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-08-16

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (jshint): 2.9.3

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (jshint): 2.9.3

Step up your Open Source Security Game with Mend here

CVE-2018-11698 (High) detected in multiple libraries

CVE-2018-11698 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, opennmsopennms-source-22.0.1-1, libsass3.3.6

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-16487 (Medium) detected in multiple libraries

CVE-2018-16487 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-1.2.1.tgz, lodash-1.3.1.tgz, lodash-3.10.1.tgz, lodash-3.7.0.tgz, lodash-2.4.2.tgz, lodash-2.2.1.tgz, lodash-4.6.1.tgz, lodash-1.0.2.tgz, lodash-4.0.1.tgz, lodash-3.2.0.tgz, lodash-0.9.2.tgz

lodash-1.2.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.2.1.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/lodash/package.json

Dependency Hierarchy:

  • bower-1.2.8.tgz (Root Library)
    • inquirer-0.3.5.tgz
      • lodash-1.2.1.tgz (Vulnerable Library)
lodash-1.3.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.3.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/resolve-dep/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • resolve-dep-0.1.3.tgz
      • lodash-1.3.1.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /vendors/cropper/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.12.37.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-3.7.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Path to dependency file: /vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • jshint-2.8.0.tgz (Root Library)
    • lodash-3.7.0.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-jasmine-0.8.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-2.2.1.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.2.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/sort-object/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • assemble-yaml-0.2.1.tgz
      • sort-object-0.0.4.tgz
        • lodash-2.2.1.tgz (Vulnerable Library)
lodash-4.6.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.6.1.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-jscs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-jscs-3.0.1.tgz (Root Library)
    • lodash-4.6.1.tgz (Vulnerable Library)
lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • gaze-0.4.3.tgz
      • globule-0.1.0.tgz
        • lodash-1.0.2.tgz (Vulnerable Library)
lodash-4.0.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.0.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json,/vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-saucelabs-8.6.3.tgz (Root Library)
    • lodash-4.0.1.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-uglify-0.10.1.tgz (Root Library)
    • lodash-3.2.0.tgz (Vulnerable Library)
lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: /vendors/jszip/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-0.4.5.tgz (Root Library)
    • lodash-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (bower): 1.7.5

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (karma): 2.0.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (jshint): 2.9.6

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-jasmine): 2.0.3

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.1

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-uglify): 0.11.1

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt): 1.0.3

Step up your Open Source Security Game with Mend here

CVE-2019-10744 (High) detected in multiple libraries

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Libraries - lodash.template-3.6.2.tgz, lodash-1.2.1.tgz, lodash-1.3.1.tgz, lodash.mergewith-4.6.1.tgz, lodash-3.10.1.tgz, lodash-3.7.0.tgz, lodash-2.4.2.tgz, lodash-2.2.1.tgz, lodash-4.6.1.tgz, lodash-1.0.2.tgz, lodash-4.17.11.tgz, lodash-4.0.1.tgz, lodash-3.2.0.tgz, lodash-0.9.2.tgz

lodash.template-3.6.2.tgz

The modern build of lodash’s `_.template` as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz

Path to dependency file: /vendors/bootstrap-progressbar/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/lodash.template/package.json,/vendors/Chart.js/node_modules/lodash.template/package.json,/vendors/Chart.js/node_modules/lodash.template/package.json,/vendors/Chart.js/node_modules/lodash.template/package.json,/vendors/Chart.js/node_modules/lodash.template/package.json,/vendors/Chart.js/node_modules/lodash.template/package.json

Dependency Hierarchy:

  • gulp-less-1.3.9.tgz (Root Library)
    • gulp-util-3.0.8.tgz
      • lodash.template-3.6.2.tgz (Vulnerable Library)
lodash-1.2.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.2.1.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/lodash/package.json

Dependency Hierarchy:

  • bower-1.2.8.tgz (Root Library)
    • inquirer-0.3.5.tgz
      • lodash-1.2.1.tgz (Vulnerable Library)
lodash-1.3.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.3.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/resolve-dep/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • resolve-dep-0.1.3.tgz
      • lodash-1.3.1.tgz (Vulnerable Library)
lodash.mergewith-4.6.1.tgz

The Lodash method `_.mergeWith` exported as a module.

Library home page: https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/lodash.mergewith/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Root Library)
    • lodash.mergewith-4.6.1.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /vendors/cropper/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.12.37.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-3.7.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Path to dependency file: /vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • jshint-2.8.0.tgz (Root Library)
    • lodash-3.7.0.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-jasmine-0.8.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-2.2.1.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.2.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/sort-object/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • assemble-yaml-0.2.1.tgz
      • sort-object-0.0.4.tgz
        • lodash-2.2.1.tgz (Vulnerable Library)
lodash-4.6.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.6.1.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-jscs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-jscs-3.0.1.tgz (Root Library)
    • lodash-4.6.1.tgz (Vulnerable Library)
lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • gaze-0.4.3.tgz
      • globule-0.1.0.tgz
        • lodash-1.0.2.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.2.3.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)
lodash-4.0.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.0.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json,/vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-saucelabs-8.6.3.tgz (Root Library)
    • lodash-4.0.1.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-uglify-0.10.1.tgz (Root Library)
    • lodash-3.2.0.tgz (Vulnerable Library)
lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: /vendors/jszip/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-0.4.5.tgz (Root Library)
    • lodash-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (gulp-less): 3.4.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (bower): 1.7.5

Fix Resolution (lodash.mergewith): 4.6.2

Direct dependency fix Resolution (node-sass): 4.12.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (karma): 2.0.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (jshint): 2.9.6

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (grunt-contrib-jasmine): 2.0.3

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.1

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (@babel/cli): 7.4.3

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (grunt-contrib-uglify): 0.11.1

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (grunt): 1.0.3

Step up your Open Source Security Game with Mend here

CVE-2018-14041 (Medium) detected in bootstrap-4.1.0.min.js

CVE-2018-14041 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-daterangepicker/website/index.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/website/index.html

Dependency Hierarchy:

  • bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

Publish Date: 2018-07-13

URL: CVE-2018-14041

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2

Step up your Open Source Security Game with Mend here

WS-2017-0236 (Medium) detected in growl-1.8.1.tgz - autoclosed

WS-2017-0236 - Medium Severity Vulnerability

Vulnerable Library - growl-1.8.1.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.8.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/morris.js/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/morris.js/node_modules/growl/package.json

Dependency Hierarchy:

  • grunt-mocha-0.4.15.tgz (Root Library)
    • mocha-1.21.5.tgz
      • growl-1.8.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Affected versions of the package are vulnerable to Arbitrary Code Injection.

Publish Date: 2016-09-05

URL: WS-2017-0236

CVSS 2 Score Details (5.6)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: tj/node-growl@d9f6ea2

Release Date: 2016-09-05

Fix Resolution: Replace or update the following files: package.json, growl.js

Step up your Open Source Security Game with WhiteSource here

WS-2020-0070 (High) detected in multiple libraries - autoclosed

WS-2020-0070 - High Severity Vulnerability

Vulnerable Libraries - lodash-1.2.1.tgz, lodash-1.3.1.tgz, lodash-3.10.1.tgz, lodash-3.7.0.tgz, lodash-2.4.2.tgz, lodash-2.2.1.tgz, lodash-4.6.1.tgz, lodash-1.0.2.tgz, lodash-4.17.11.tgz, lodash-4.0.1.tgz, lodash-3.2.0.tgz, lodash-4.17.15.tgz, lodash-0.9.2.tgz

lodash-1.2.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.2.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/morris.js/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/morris.js/node_modules/lodash/package.json

Dependency Hierarchy:

  • bower-1.2.8.tgz (Root Library)
    • inquirer-0.3.5.tgz
      • lodash-1.2.1.tgz (Vulnerable Library)
lodash-1.3.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.3.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/resolve-dep/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • resolve-dep-0.1.3.tgz
      • lodash-1.3.1.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/cropper/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-1.7.1.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-3.7.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • jshint-2.8.0.tgz (Root Library)
    • lodash-3.7.0.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.6.1.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-2.2.1.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.2.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/sort-object/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • assemble-yaml-0.2.1.tgz
      • sort-object-0.0.4.tgz
        • lodash-2.2.1.tgz (Vulnerable Library)
lodash-4.6.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.6.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/bootstrap-datetimepicker/node_modules/grunt-jscs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-jscs-3.0.1.tgz (Root Library)
    • lodash-4.6.1.tgz (Vulnerable Library)
lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/Chart.js/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json

Dependency Hierarchy:

  • gaze-0.5.2.tgz (Root Library)
    • globule-0.1.0.tgz
      • lodash-1.0.2.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/bootstrap/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.2.3.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)
lodash-4.0.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.0.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/select2/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-saucelabs-8.6.3.tgz (Root Library)
    • lodash-4.0.1.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/jqvmap/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/jqvmap/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-uglify-0.10.1.tgz (Root Library)
    • lodash-3.2.0.tgz (Vulnerable Library)
lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-ua_20200529074747_DVXLIQ/archiveExtraction_FGLLEN/20200529074747/ws-scm_depth_0/gentelella/vendors/flot/flot-2.1.3/package/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/Chart.js/node_modules/karma-browserify/node_modules/lodash/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)
lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/jszip/package.json

Path to vulnerable library: /tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-0.4.5.tgz (Root Library)
    • lodash-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2019-3820 (Medium) detected in jquery-3.3.1.tgz, jquery-2.2.4.tgz - autoclosed

CVE-2019-3820 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-3.3.1.tgz, jquery-2.2.4.tgz

jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap/package.json

Path to vulnerable library: /gentelella/vendors/bootstrap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)
jquery-2.2.4.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz

Path to dependency file: /tmp/ws-scm/gentelella/vendors/Chart.js/package.json

Path to vulnerable library: /gentelella/vendors/Chart.js/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-2.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions.

Publish Date: 2019-02-06

URL: CVE-2019-3820

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Physical
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://gitlab.gnome.org/GNOME/gnome-shell/issues/851

Release Date: 2019-02-06

Fix Resolution: 3.15.91

Step up your Open Source Security Game with WhiteSource here

WS-2016-0075 (Medium) detected in multiple libraries

WS-2016-0075 - Medium Severity Vulnerability

Vulnerable Libraries - moment-2.13.0.min.js, moment.js.2.9.0.nupkg, moment-2.0.0.tgz

moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to dependency file: /production/calendar.html

Path to vulnerable library: /production/../vendors/moment/min/moment.min.js

Dependency Hierarchy:

  • moment-2.13.0.min.js (Vulnerable Library)
moment.js.2.9.0.nupkg

A lightweight javascript date library for parsing, manipulating, and formatting dates.

Library home page: https://api.nuget.org/packages/moment.js.2.9.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec,/vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.nuspec

Dependency Hierarchy:

  • moment.js.2.9.0.nupkg (Vulnerable Library)
moment-2.0.0.tgz

Parse, manipulate, and display dates.

Library home page: https://registry.npmjs.org/moment/-/moment-2.0.0.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/moment/package.json

Dependency Hierarchy:

  • grunt-changelog-0.2.2.tgz (Root Library)
    • moment-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-10-24

Fix Resolution: moment - 2.15.2

Step up your Open Source Security Game with Mend here

CVE-2018-11499 (High) detected in multiple libraries

CVE-2018-11499 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, opennmsopennms-source-22.0.1-1, proyector-movilproyector-movil-windows

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-26

Fix Resolution: 4.14.0

Step up your Open Source Security Game with Mend here

CVE-2018-20677 (Medium) detected in multiple libraries

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.3.5.min.js, bootstrap.3.3.0.nupkg, bootstrap-3.3.6.min.js, bootstrap-3.3.1.min.js

bootstrap-3.3.5.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • bootstrap-3.3.5.min.js (Vulnerable Library)
bootstrap.3.3.0.nupkg

Sleek, intuitive, and powerful mobile first front-end framework for faster and easier web developmen...

Library home page: https://api.nuget.org/packages/bootstrap.3.3.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Dependency Hierarchy:

  • bootstrap.3.3.0.nupkg (Vulnerable Library)
bootstrap-3.3.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.6.min.js (Vulnerable Library)
bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • bootstrap-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with Mend here

WS-2019-0032 (High) detected in multiple libraries

WS-2019-0032 - High Severity Vulnerability

Vulnerable Libraries - js-yaml-3.7.0.tgz, js-yaml-2.0.5.tgz, js-yaml-3.6.1.tgz, js-yaml-2.1.3.tgz, js-yaml-3.4.6.tgz, js-yaml-3.12.1.tgz

js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /vendors/animate.css/package.json

Path to vulnerable library: /vendors/animate.css/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • gulp-cssnano-2.1.3.tgz (Root Library)
    • cssnano-3.10.0.tgz
      • postcss-svgo-2.1.6.tgz
        • svgo-0.7.2.tgz
          • js-yaml-3.7.0.tgz (Vulnerable Library)
js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: /vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json,/vendors/bootstrap-wysiwyg/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-0.4.5.tgz (Root Library)
    • js-yaml-2.0.5.tgz (Vulnerable Library)
js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/coveralls/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • coveralls-2.13.3.tgz (Root Library)
    • js-yaml-3.6.1.tgz (Vulnerable Library)
js-yaml-2.1.3.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.1.3.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/assemble-yaml/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • assemble-yaml-0.2.1.tgz
      • js-yaml-2.1.3.tgz (Vulnerable Library)
js-yaml-3.4.6.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.4.6.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/jscs/node_modules/js-yaml/package.json,/vendors/bootstrap-datetimepicker/node_modules/jscs/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • gulp-jscs-3.0.2.tgz (Root Library)
    • jscs-2.11.0.tgz
      • js-yaml-3.4.6.tgz (Vulnerable Library)
js-yaml-3.12.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • coveralls-3.0.2.tgz (Root Library)
    • js-yaml-3.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (grunt): 1.0.4

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (coveralls): 3.0.0

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (coveralls): 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2016-10538 (Low) detected in cli-0.4.3.tgz, cli-0.6.6.tgz

CVE-2016-10538 - Low Severity Vulnerability

Vulnerable Libraries - cli-0.4.3.tgz, cli-0.6.6.tgz

cli-0.4.3.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.4.3.tgz

Path to dependency file: /vendors/Flot/package.json

Path to vulnerable library: /vendors/Flot/node_modules/cli/package.json

Dependency Hierarchy:

  • jshint-0.9.1.tgz (Root Library)
    • cli-0.4.3.tgz (Vulnerable Library)
cli-0.6.6.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Path to dependency file: /vendors/jszip/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/cli/package.json,/vendors/bootstrap-wysiwyg/node_modules/cli/package.json,/vendors/bootstrap-wysiwyg/node_modules/cli/package.json,/vendors/bootstrap-wysiwyg/node_modules/cli/package.json

Dependency Hierarchy:

  • jshint-2.8.0.tgz (Root Library)
    • cli-0.6.6.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

The package node-cli before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2018-05-31

URL: CVE-2016-10538

CVSS 3 Score Details (3.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10538

Release Date: 2018-05-31

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (jshint): 2.9.3

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (jshint): 2.9.3

Step up your Open Source Security Game with Mend here

CVE-2018-11697 (High) detected in multiple libraries

CVE-2018-11697 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, proyector-movilproyector-movil-windows, CSS::Sassv3.4.11, libsass3.3.6

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 4.14.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022 (Medium) detected in multiple libraries

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-3.4.0.min.js, jquery-2.1.1.min.js, jquery-1.7.2.min.js, jquery-1.6.2.js, jquery-1.9.0.min.js, jquery-1.8.3.js, jquery-1.11.2.min.js, jquery-1.11.1.min.js, jquery-2.1.4.min.js, jquery-3.3.1.js, jquery-2.2.4.min.js, jquery-2.1.3.min.js, jquery-1.8.2.min.js, jquery-1.9.1.min.js, jquery-1.9.1.js, jquery-1.11.3.min.js, jquery-1.11.1.js, jquery-1.11.0.min.js, jquery-1.7.1.min.js, jquery-3.3.1.tgz, jquery-1.8.1.min.js, jquery-2.2.4.tgz, jquery-1.11.3.tgz

jquery-3.4.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.0/jquery.min.js

Path to dependency file: /vendors/cropper/node_modules/js-base64/test/index.html

Path to vulnerable library: /vendors/cropper/node_modules/js-base64/test/index.html,/vendors/animate.css/node_modules/js-base64/test/index.html,/vendors/select2/node_modules/js-base64/test/index.html,/vendors/bootstrap-daterangepicker/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-3.4.0.min.js (Vulnerable Library)
jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)
jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: /vendors/gauge.js/index.html

Path to vulnerable library: /vendors/gauge.js/index.html,/vendors/switchery/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)
jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/index.html

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/morris.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/starrr/node_modules/qs/test/browser/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/select2/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/Chart.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/switchery/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

  • jquery-1.6.2.js (Vulnerable Library)
jquery-1.9.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.0/jquery.min.js

Path to dependency file: /vendors/jquery-knob/index.html

Path to vulnerable library: /vendors/jquery-knob/index.html

Dependency Hierarchy:

  • jquery-1.9.0.min.js (Vulnerable Library)
jquery-1.8.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js

Path to dependency file: /vendors/flot/examples/fill-types/index.html

Path to vulnerable library: /vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/series-toggle/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/selection/../../source/jquery.js,/vendors/flot/flot-2.1.3/package/node_modules/webcharts-development-settings/benchmark-infrastructure/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time-zones/../../source/jquery.js,/vendors/Flot/examples/interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/annotating/../../source/jquery.js,/vendors/Flot/examples/threshold/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/threshold/../../source/jquery.js,/vendors/Flot/examples/selection/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-toggle/../../source/jquery.js,/vendors/Flot/examples/canvas/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/stacking/../../source/jquery.js,/vendors/Flot/examples/tracking/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-errorbars/../../source/jquery.js,/vendors/Flot/examples/image/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/Flot/examples/basic-options/../../jquery.js,/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/tracking/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/visitors/../../source/jquery.js,/vendors/Flot/examples/zooming/../../jquery.js,/vendors/Flot/examples/annotating/../../jquery.js,/vendors/Flot/examples/basic-usage/../../jquery.js,/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/Flot/examples/series-pie/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/percentiles/../../source/jquery.js,/vendors/Flot/examples/symbols/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-usage/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time/../../source/jquery.js,/vendors/Flot/examples/axes-multiple/../../jquery.js,/vendors/Flot/examples/navigate/../../jquery.js,/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/Flot/examples/axes-time/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-interacting/../../source/jquery.js,/vendors/Flot/examples/categories/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigate/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/Flot/examples/ajax/../../jquery.js,/vendors/Flot/examples/axes-interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/categories/../../source/jquery.js,/vendors/Flot/examples/percentiles/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/zooming/../../source/jquery.js,/vendors/Flot/examples/realtime/../../jquery.js,/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/ajax/../../source/jquery.js,/vendors/Flot/examples/series-errorbars/../../jquery.js,/vendors/Flot/examples/series-types/../../jquery.js,/vendors/Flot/examples/resize/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/visitors/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/symbols/../../source/jquery.js,/vendors/Flot/examples/stacking/../../jquery.js,/vendors/Flot/examples/axes-time-zones/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/resize/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-multiple/../../source/jquery.js,/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/realtime/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-types/../../source/jquery.js,/vendors/Flot/examples/../jquery.js,/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/interacting/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-pie/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-options/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/image/../../source/jquery.js

Dependency Hierarchy:

  • jquery-1.8.3.js (Vulnerable Library)
jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /vendors/nprogress/index.html

Path to vulnerable library: /vendors/nprogress/index.html

Dependency Hierarchy:

  • jquery-1.11.2.min.js (Vulnerable Library)
jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html

Path to vulnerable library: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html,/vendors/jquery.easy-pie-chart/node_modules/policyfile/doc/index.html,/vendors/Chart.js/node_modules/policyfile/doc/index.html

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)
jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html

Path to vulnerable library: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html,/vendors/animate.css/node_modules/js-base64/.attic/test-moment/index.html,/vendors/select2/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap-daterangepicker/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)
jquery-3.3.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js

Path to dependency file: /vendors/bootstrap-daterangepicker/demo.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/demo.html

Dependency Hierarchy:

  • jquery-3.3.1.js (Vulnerable Library)
jquery-2.2.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js

Path to dependency file: /production/general_elements.html

Path to vulnerable library: /production/../vendors/jquery/dist/jquery.min.js

Dependency Hierarchy:

  • jquery-2.2.4.min.js (Vulnerable Library)
jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Path to vulnerable library: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)
jquery-1.9.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.min.js

Path to dependency file: /production/form_validation.html

Path to vulnerable library: /production/form_validation.html,/vendors/validator/index.html,/vendors/flot.orderbars/examples/js/vendor/jquery-1.9.1.min.js

Dependency Hierarchy:

  • jquery-1.9.1.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/index.html

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/jquery.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)
jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/jquery.min.js,/vendors/jqvmap/examples/greece.html,/vendors/echarts/test/lib/jquery.min.js,/vendors/echarts/test/./lib/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.3.min.js (Vulnerable Library)
jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: /vendors/starrr/index.html

Path to vulnerable library: /vendors/starrr/index.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)
jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • jquery-1.11.0.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html,/vendors/jszip/node_modules/vm-browserify/example/run/index.html,/vendors/echarts/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/vendors/select2/node_modules/tap/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)
jquery-2.2.4.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-2.2.4.tgz (Vulnerable Library)
jquery-1.11.3.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-1.11.3.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-1.11.3.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2018-11694 (High) detected in multiple libraries

CVE-2018-11694 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, libsass3.3.6

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2016-10540 (High) detected in multiple libraries

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-0.2.12.tgz, minimatch-0.4.0.tgz, minimatch-2.0.10.tgz, minimatch-0.3.0.tgz, minimatch-0.2.14.tgz, minimatch-1.0.0.tgz

minimatch-0.2.12.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.12.tgz

Path to dependency file: /vendors/cropper/package.json

Path to vulnerable library: /vendors/cropper/node_modules/csscomb-core/node_modules/minimatch/package.json

Dependency Hierarchy:

  • gulp-csscomb-3.1.0.tgz (Root Library)
    • csscomb-3.1.8.tgz
      • csscomb-core-3.0.0-3.1.tgz
        • minimatch-0.2.12.tgz (Vulnerable Library)
minimatch-0.4.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz

Path to dependency file: /vendors/jszip/package.json

Path to vulnerable library: /vendors/jszip/node_modules/fileset/node_modules/minimatch/package.json

Dependency Hierarchy:

  • qunit-0.7.7.tgz (Root Library)
    • istanbul-0.2.5.tgz
      • fileset-0.1.8.tgz
        • minimatch-0.4.0.tgz (Vulnerable Library)
minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: /vendors/DateJS/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json,/vendors/bootstrap-wysiwyg/node_modules/gulp-jshint/node_modules/minimatch/package.json

Dependency Hierarchy:

  • karma-0.12.37.tgz (Root Library)
    • minimatch-2.0.10.tgz (Vulnerable Library)
minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json,/vendors/starrr/node_modules/findup-sync/node_modules/minimatch/package.json

Dependency Hierarchy:

  • gulp-3.5.6.tgz (Root Library)
    • liftoff-0.9.8.tgz
      • findup-sync-0.1.3.tgz
        • glob-3.2.11.tgz
          • minimatch-0.3.0.tgz (Vulnerable Library)
minimatch-0.2.14.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz

Path to dependency file: /vendors/starrr/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json,/vendors/morris.js/node_modules/grunt/node_modules/minimatch/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • gaze-0.4.3.tgz
      • globule-0.1.0.tgz
        • minimatch-0.2.14.tgz (Vulnerable Library)
minimatch-1.0.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-1.0.0.tgz

Path to dependency file: /vendors/flot/flot-2.1.3/package/package.json

Path to vulnerable library: /vendors/switchery/node_modules/spacejam/node_modules/minimatch/package.json,/vendors/switchery/node_modules/spacejam/node_modules/minimatch/package.json,/vendors/switchery/node_modules/spacejam/node_modules/minimatch/package.json,/vendors/switchery/node_modules/spacejam/node_modules/minimatch/package.json

Dependency Hierarchy:

  • spacejam-1.6.1.tgz (Root Library)
    • glob-4.0.6.tgz
      • minimatch-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-05-31

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (karma): 0.13.12

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-16492 (High) detected in extend-1.2.1.tgz, extend-3.0.0.tgz

CVE-2018-16492 - High Severity Vulnerability

Vulnerable Libraries - extend-1.2.1.tgz, extend-3.0.0.tgz

extend-1.2.1.tgz

Port of jQuery.extend for Node.js

Library home page: https://registry.npmjs.org/extend/-/extend-1.2.1.tgz

Path to dependency file: /vendors/bootstrap-progressbar/package.json

Path to vulnerable library: /vendors/transitionize/node_modules/socks-proxy-agent/node_modules/extend/package.json,/vendors/transitionize/node_modules/socks-proxy-agent/node_modules/extend/package.json,/vendors/transitionize/node_modules/socks-proxy-agent/node_modules/extend/package.json

Dependency Hierarchy:

  • gulp-3.5.6.tgz (Root Library)
    • liftoff-0.9.8.tgz
      • extend-1.2.1.tgz (Vulnerable Library)
extend-3.0.0.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.0.tgz

Path to dependency file: /vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/superagent/node_modules/extend/package.json

Dependency Hierarchy:

  • grunt-release-0.13.1.tgz (Root Library)
    • superagent-1.8.5.tgz
      • extend-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 2.0.2

Direct dependency fix Resolution (gulp): 3.8.11

Step up your Open Source Security Game with Mend here

CVE-2011-4969 (Low) detected in multiple libraries

CVE-2011-4969 - Low Severity Vulnerability

Vulnerable Libraries - jquery-1.4.3.min.js, jquery-1.6.2.js, jquery-1.3.2.min.js

jquery-1.4.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js

Path to dependency file: /vendors/transitionize/node_modules/superagent/docs/head.html

Path to vulnerable library: /vendors/transitionize/node_modules/superagent/docs/head.html,/vendors/switchery/node_modules/superagent/docs/head.html

Dependency Hierarchy:

  • jquery-1.4.3.min.js (Vulnerable Library)
jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/index.html

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/morris.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/starrr/node_modules/qs/test/browser/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/select2/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/Chart.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/switchery/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

  • jquery-1.6.2.js (Vulnerable Library)
jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/temp_tests.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jszip/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/starrr/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/DateJS/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jqvmap/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jquery.easy-pie-chart/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/select2/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/devbridge-autocomplete/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/morris.js/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Step up your Open Source Security Game with Mend here

CVE-2018-19839 (Medium) detected in multiple libraries

CVE-2018-19839 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, CSS::Sassv3.4.11, libsass3.3.6

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-04

Fix Resolution: 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-20834 (High) detected in tar-2.2.1.tgz, tar-0.1.20.tgz

CVE-2018-20834 - High Severity Vulnerability

Vulnerable Libraries - tar-2.2.1.tgz, tar-0.1.20.tgz

tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/tar/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Root Library)
    • node-gyp-3.8.0.tgz
      • tar-2.2.1.tgz (Vulnerable Library)
tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Path to dependency file: /vendors/switchery/package.json

Path to vulnerable library: /vendors/switchery/node_modules/tar/package.json,/vendors/switchery/node_modules/tar/package.json

Dependency Hierarchy:

  • component-1.1.0.tgz (Root Library)
    • component-resolver-1.3.0.tgz
      • component-downloader-1.2.0.tgz
        • decompress-0.2.5.tgz
          • tar-0.1.20.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (node-sass): 4.12.0

Step up your Open Source Security Game with Mend here

CVE-2020-7656 (Medium) detected in multiple libraries

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.4.3.min.js, jquery-1.7.2.min.js, jquery-1.6.2.js, jquery-1.8.3.js, jquery-1.8.2.min.js, jquery-1.3.2.min.js, jquery-1.7.1.min.js, jquery-1.8.1.min.js

jquery-1.4.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js

Path to dependency file: /vendors/transitionize/node_modules/superagent/docs/head.html

Path to vulnerable library: /vendors/transitionize/node_modules/superagent/docs/head.html,/vendors/switchery/node_modules/superagent/docs/head.html

Dependency Hierarchy:

  • jquery-1.4.3.min.js (Vulnerable Library)
jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: /vendors/gauge.js/index.html

Path to vulnerable library: /vendors/gauge.js/index.html,/vendors/switchery/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)
jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/index.html

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/morris.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/starrr/node_modules/qs/test/browser/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/select2/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/Chart.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/switchery/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

  • jquery-1.6.2.js (Vulnerable Library)
jquery-1.8.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js

Path to dependency file: /vendors/flot/examples/fill-types/index.html

Path to vulnerable library: /vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/series-toggle/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/selection/../../source/jquery.js,/vendors/flot/flot-2.1.3/package/node_modules/webcharts-development-settings/benchmark-infrastructure/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time-zones/../../source/jquery.js,/vendors/Flot/examples/interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/annotating/../../source/jquery.js,/vendors/Flot/examples/threshold/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/threshold/../../source/jquery.js,/vendors/Flot/examples/selection/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-toggle/../../source/jquery.js,/vendors/Flot/examples/canvas/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/stacking/../../source/jquery.js,/vendors/Flot/examples/tracking/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-errorbars/../../source/jquery.js,/vendors/Flot/examples/image/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/Flot/examples/basic-options/../../jquery.js,/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/tracking/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/visitors/../../source/jquery.js,/vendors/Flot/examples/zooming/../../jquery.js,/vendors/Flot/examples/annotating/../../jquery.js,/vendors/Flot/examples/basic-usage/../../jquery.js,/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/Flot/examples/series-pie/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/percentiles/../../source/jquery.js,/vendors/Flot/examples/symbols/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-usage/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time/../../source/jquery.js,/vendors/Flot/examples/axes-multiple/../../jquery.js,/vendors/Flot/examples/navigate/../../jquery.js,/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/Flot/examples/axes-time/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-interacting/../../source/jquery.js,/vendors/Flot/examples/categories/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigate/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/Flot/examples/ajax/../../jquery.js,/vendors/Flot/examples/axes-interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/categories/../../source/jquery.js,/vendors/Flot/examples/percentiles/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/zooming/../../source/jquery.js,/vendors/Flot/examples/realtime/../../jquery.js,/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/ajax/../../source/jquery.js,/vendors/Flot/examples/series-errorbars/../../jquery.js,/vendors/Flot/examples/series-types/../../jquery.js,/vendors/Flot/examples/resize/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/visitors/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/symbols/../../source/jquery.js,/vendors/Flot/examples/stacking/../../jquery.js,/vendors/Flot/examples/axes-time-zones/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/resize/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-multiple/../../source/jquery.js,/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/realtime/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-types/../../source/jquery.js,/vendors/Flot/examples/../jquery.js,/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/interacting/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-pie/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-options/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/image/../../source/jquery.js

Dependency Hierarchy:

  • jquery-1.8.3.js (Vulnerable Library)
jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)
jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/temp_tests.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jszip/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/starrr/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/DateJS/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jqvmap/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jquery.easy-pie-chart/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/select2/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/devbridge-autocomplete/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/morris.js/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html,/vendors/jszip/node_modules/vm-browserify/example/run/index.html,/vendors/echarts/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/vendors/select2/node_modules/tap/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with Mend here

CVE-2018-3721 (Medium) detected in multiple libraries

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-1.2.1.tgz, lodash-1.3.1.tgz, lodash-3.10.1.tgz, lodash-3.7.0.tgz, lodash-2.4.2.tgz, lodash-2.2.1.tgz, lodash-4.6.1.tgz, lodash-1.0.2.tgz, lodash-4.0.1.tgz, lodash-3.2.0.tgz, lodash-0.9.2.tgz

lodash-1.2.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.2.1.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/lodash/package.json

Dependency Hierarchy:

  • bower-1.2.8.tgz (Root Library)
    • inquirer-0.3.5.tgz
      • lodash-1.2.1.tgz (Vulnerable Library)
lodash-1.3.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.3.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/resolve-dep/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • resolve-dep-0.1.3.tgz
      • lodash-1.3.1.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /vendors/cropper/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.12.37.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-3.7.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Path to dependency file: /vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • jshint-2.8.0.tgz (Root Library)
    • lodash-3.7.0.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-jasmine-0.8.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-2.2.1.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.2.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/sort-object/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • assemble-yaml-0.2.1.tgz
      • sort-object-0.0.4.tgz
        • lodash-2.2.1.tgz (Vulnerable Library)
lodash-4.6.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.6.1.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-jscs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-jscs-3.0.1.tgz (Root Library)
    • lodash-4.6.1.tgz (Vulnerable Library)
lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • gaze-0.4.3.tgz
      • globule-0.1.0.tgz
        • lodash-1.0.2.tgz (Vulnerable Library)
lodash-4.0.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.0.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json,/vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-saucelabs-8.6.3.tgz (Root Library)
    • lodash-4.0.1.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-uglify-0.10.1.tgz (Root Library)
    • lodash-3.2.0.tgz (Vulnerable Library)
lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: /vendors/jszip/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-0.4.5.tgz (Root Library)
    • lodash-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (bower): 1.7.5

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (karma): 2.0.0

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (jshint): 2.9.6

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt-contrib-jasmine): 2.0.3

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.1

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt-contrib-uglify): 0.11.1

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt): 1.0.3

Step up your Open Source Security Game with Mend here

CVE-2012-6708 (Medium) detected in multiple libraries

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.4.3.min.js, jquery-1.7.2.min.js, jquery-1.6.2.js, jquery-1.8.3.js, jquery-1.8.2.min.js, jquery-1.3.2.min.js, jquery-1.7.1.min.js, jquery-1.8.1.min.js

jquery-1.4.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js

Path to dependency file: /vendors/transitionize/node_modules/superagent/docs/head.html

Path to vulnerable library: /vendors/transitionize/node_modules/superagent/docs/head.html,/vendors/switchery/node_modules/superagent/docs/head.html

Dependency Hierarchy:

  • jquery-1.4.3.min.js (Vulnerable Library)
jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: /vendors/gauge.js/index.html

Path to vulnerable library: /vendors/gauge.js/index.html,/vendors/switchery/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)
jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/index.html

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/morris.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/starrr/node_modules/qs/test/browser/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/select2/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/Chart.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/switchery/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

  • jquery-1.6.2.js (Vulnerable Library)
jquery-1.8.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js

Path to dependency file: /vendors/flot/examples/fill-types/index.html

Path to vulnerable library: /vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/series-toggle/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/selection/../../source/jquery.js,/vendors/flot/flot-2.1.3/package/node_modules/webcharts-development-settings/benchmark-infrastructure/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time-zones/../../source/jquery.js,/vendors/Flot/examples/interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/annotating/../../source/jquery.js,/vendors/Flot/examples/threshold/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/threshold/../../source/jquery.js,/vendors/Flot/examples/selection/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-toggle/../../source/jquery.js,/vendors/Flot/examples/canvas/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/stacking/../../source/jquery.js,/vendors/Flot/examples/tracking/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-errorbars/../../source/jquery.js,/vendors/Flot/examples/image/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/Flot/examples/basic-options/../../jquery.js,/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/tracking/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/visitors/../../source/jquery.js,/vendors/Flot/examples/zooming/../../jquery.js,/vendors/Flot/examples/annotating/../../jquery.js,/vendors/Flot/examples/basic-usage/../../jquery.js,/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/Flot/examples/series-pie/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/percentiles/../../source/jquery.js,/vendors/Flot/examples/symbols/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-usage/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time/../../source/jquery.js,/vendors/Flot/examples/axes-multiple/../../jquery.js,/vendors/Flot/examples/navigate/../../jquery.js,/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/Flot/examples/axes-time/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-interacting/../../source/jquery.js,/vendors/Flot/examples/categories/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigate/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/Flot/examples/ajax/../../jquery.js,/vendors/Flot/examples/axes-interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/categories/../../source/jquery.js,/vendors/Flot/examples/percentiles/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/zooming/../../source/jquery.js,/vendors/Flot/examples/realtime/../../jquery.js,/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/ajax/../../source/jquery.js,/vendors/Flot/examples/series-errorbars/../../jquery.js,/vendors/Flot/examples/series-types/../../jquery.js,/vendors/Flot/examples/resize/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/visitors/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/symbols/../../source/jquery.js,/vendors/Flot/examples/stacking/../../jquery.js,/vendors/Flot/examples/axes-time-zones/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/resize/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-multiple/../../source/jquery.js,/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/realtime/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-types/../../source/jquery.js,/vendors/Flot/examples/../jquery.js,/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/interacting/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-pie/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-options/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/image/../../source/jquery.js

Dependency Hierarchy:

  • jquery-1.8.3.js (Vulnerable Library)
jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)
jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/temp_tests.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jszip/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/starrr/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/DateJS/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jqvmap/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jquery.easy-pie-chart/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/select2/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/devbridge-autocomplete/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/morris.js/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html,/vendors/jszip/node_modules/vm-browserify/example/run/index.html,/vendors/echarts/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/vendors/select2/node_modules/tap/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with Mend here

CVE-2019-8331 (Medium) detected in multiple libraries

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.3.5.min.js, bootstrap.3.3.0.nupkg, bootstrap-3.3.6.min.js, bootstrap-3.3.1.min.js, bootstrap-4.1.0.min.js

bootstrap-3.3.5.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • bootstrap-3.3.5.min.js (Vulnerable Library)
bootstrap.3.3.0.nupkg

Sleek, intuitive, and powerful mobile first front-end framework for faster and easier web developmen...

Library home page: https://api.nuget.org/packages/bootstrap.3.3.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Dependency Hierarchy:

  • bootstrap.3.3.0.nupkg (Vulnerable Library)
bootstrap-3.3.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.6.min.js (Vulnerable Library)
bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • bootstrap-3.3.1.min.js (Vulnerable Library)
bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-daterangepicker/website/index.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/website/index.html

Dependency Hierarchy:

  • bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

CVE-2017-18214 (High) detected in multiple libraries

CVE-2017-18214 - High Severity Vulnerability

Vulnerable Libraries - moment-2.13.0.min.js, moment.js.2.9.0.nupkg, moment-2.0.0.tgz

moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to dependency file: /production/calendar.html

Path to vulnerable library: /production/../vendors/moment/min/moment.min.js

Dependency Hierarchy:

  • moment-2.13.0.min.js (Vulnerable Library)
moment.js.2.9.0.nupkg

A lightweight javascript date library for parsing, manipulating, and formatting dates.

Library home page: https://api.nuget.org/packages/moment.js.2.9.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec,/vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.nuspec

Dependency Hierarchy:

  • moment.js.2.9.0.nupkg (Vulnerable Library)
moment-2.0.0.tgz

Parse, manipulate, and display dates.

Library home page: https://registry.npmjs.org/moment/-/moment-2.0.0.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/moment/package.json

Dependency Hierarchy:

  • grunt-changelog-0.2.2.tgz (Root Library)
    • moment-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-446m-mv8f-q348

Release Date: 2018-03-04

Fix Resolution: moment - 2.19.3

Step up your Open Source Security Game with Mend here

WS-2018-0021 (Medium) detected in multiple libraries - autoclosed

WS-2018-0021 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.3.5.min.js, bootstrap.3.3.0.nupkg, bootstrap-3.3.6.min.js, bootstrap-3.3.1.min.js

bootstrap-3.3.5.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /gentelella/vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • bootstrap-3.3.5.min.js (Vulnerable Library)
bootstrap.3.3.0.nupkg

Sleek, intuitive, and powerful mobile first front-end framework for faster and easier web developmen...

Library home page: https://api.nuget.org/packages/bootstrap.3.3.0.nupkg

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /gentelella/vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Dependency Hierarchy:

  • bootstrap.3.3.0.nupkg (Vulnerable Library)
bootstrap-3.3.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/gentelella/docs/index.html

Path to vulnerable library: /gentelella/docs/js/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.6.min.js (Vulnerable Library)
bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/gentelella/vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /gentelella/vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • bootstrap-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

XSS in data-target in bootstrap (3.3.7 and before)

Publish Date: 2017-09-29

URL: WS-2018-0021

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#20184

Release Date: 2019-06-12

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2016-2515 (High) detected in hawk-1.1.1.tgz, hawk-1.0.0.tgz

CVE-2016-2515 - High Severity Vulnerability

Vulnerable Libraries - hawk-1.1.1.tgz, hawk-1.0.0.tgz

hawk-1.1.1.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-1.1.1.tgz

Path to dependency file: /vendors/bootstrap-progressbar/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/hawk/package.json,/vendors/jquery.easy-pie-chart/node_modules/hawk/package.json,/vendors/jquery.easy-pie-chart/node_modules/hawk/package.json

Dependency Hierarchy:

  • gulp-less-1.3.9.tgz (Root Library)
    • less-1.7.5.tgz
      • request-2.40.0.tgz
        • hawk-1.1.1.tgz (Vulnerable Library)
hawk-1.0.0.tgz

HTTP Hawk Authentication Scheme

Library home page: https://registry.npmjs.org/hawk/-/hawk-1.0.0.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/hawk/package.json

Dependency Hierarchy:

  • bower-1.2.8.tgz (Root Library)
    • request-2.27.0.tgz
      • hawk-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2515

Release Date: 2016-04-13

Fix Resolution (hawk): 3.1.3

Direct dependency fix Resolution (gulp-less): 2.0.0

Fix Resolution (hawk): 3.1.3

Direct dependency fix Resolution (bower): 1.7.5

Step up your Open Source Security Game with Mend here

CVE-2018-19797 (Medium) detected in multiple libraries

CVE-2018-19797 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, opennmsopennms-source-22.0.1-1, libsass3.3.6

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-11023 (Medium) detected in multiple libraries

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-3.3.1.slim.min.js, jquery-3.4.0.min.js, jquery-2.1.1.min.js, jquery-1.7.2.min.js, jquery-1.9.0.min.js, jquery-1.8.3.js, jquery-1.11.2.min.js, jquery-1.11.1.min.js, jquery-2.1.4.min.js, jquery-3.3.1.js, jquery-2.2.4.min.js, jquery-2.1.3.min.js, jquery-1.8.2.min.js, jquery-1.9.1.min.js, jquery-1.9.1.js, jquery-1.11.3.min.js, jquery-1.11.1.js, jquery-1.11.0.min.js, jquery-1.7.1.min.js, jquery-3.3.1.tgz, jquery-1.8.1.min.js, jquery-2.2.4.tgz, jquery-1.11.3.tgz

jquery-3.3.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js

Path to dependency file: /vendors/bootstrap-daterangepicker/website/index.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/website/index.html

Dependency Hierarchy:

  • jquery-3.3.1.slim.min.js (Vulnerable Library)
jquery-3.4.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.0/jquery.min.js

Path to dependency file: /vendors/cropper/node_modules/js-base64/test/index.html

Path to vulnerable library: /vendors/cropper/node_modules/js-base64/test/index.html,/vendors/animate.css/node_modules/js-base64/test/index.html,/vendors/select2/node_modules/js-base64/test/index.html,/vendors/bootstrap-daterangepicker/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-3.4.0.min.js (Vulnerable Library)
jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)
jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: /vendors/gauge.js/index.html

Path to vulnerable library: /vendors/gauge.js/index.html,/vendors/switchery/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)
jquery-1.9.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.0/jquery.min.js

Path to dependency file: /vendors/jquery-knob/index.html

Path to vulnerable library: /vendors/jquery-knob/index.html

Dependency Hierarchy:

  • jquery-1.9.0.min.js (Vulnerable Library)
jquery-1.8.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js

Path to dependency file: /vendors/flot/examples/fill-types/index.html

Path to vulnerable library: /vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/series-toggle/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/selection/../../source/jquery.js,/vendors/flot/flot-2.1.3/package/node_modules/webcharts-development-settings/benchmark-infrastructure/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time-zones/../../source/jquery.js,/vendors/Flot/examples/interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/annotating/../../source/jquery.js,/vendors/Flot/examples/threshold/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/threshold/../../source/jquery.js,/vendors/Flot/examples/selection/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-toggle/../../source/jquery.js,/vendors/Flot/examples/canvas/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/stacking/../../source/jquery.js,/vendors/Flot/examples/tracking/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-errorbars/../../source/jquery.js,/vendors/Flot/examples/image/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/Flot/examples/basic-options/../../jquery.js,/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/tracking/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/visitors/../../source/jquery.js,/vendors/Flot/examples/zooming/../../jquery.js,/vendors/Flot/examples/annotating/../../jquery.js,/vendors/Flot/examples/basic-usage/../../jquery.js,/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/Flot/examples/series-pie/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/percentiles/../../source/jquery.js,/vendors/Flot/examples/symbols/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-usage/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time/../../source/jquery.js,/vendors/Flot/examples/axes-multiple/../../jquery.js,/vendors/Flot/examples/navigate/../../jquery.js,/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/Flot/examples/axes-time/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-interacting/../../source/jquery.js,/vendors/Flot/examples/categories/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigate/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/Flot/examples/ajax/../../jquery.js,/vendors/Flot/examples/axes-interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/categories/../../source/jquery.js,/vendors/Flot/examples/percentiles/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/zooming/../../source/jquery.js,/vendors/Flot/examples/realtime/../../jquery.js,/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/ajax/../../source/jquery.js,/vendors/Flot/examples/series-errorbars/../../jquery.js,/vendors/Flot/examples/series-types/../../jquery.js,/vendors/Flot/examples/resize/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/visitors/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/symbols/../../source/jquery.js,/vendors/Flot/examples/stacking/../../jquery.js,/vendors/Flot/examples/axes-time-zones/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/resize/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-multiple/../../source/jquery.js,/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/realtime/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-types/../../source/jquery.js,/vendors/Flot/examples/../jquery.js,/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/interacting/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-pie/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-options/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/image/../../source/jquery.js

Dependency Hierarchy:

  • jquery-1.8.3.js (Vulnerable Library)
jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /vendors/nprogress/index.html

Path to vulnerable library: /vendors/nprogress/index.html

Dependency Hierarchy:

  • jquery-1.11.2.min.js (Vulnerable Library)
jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html

Path to vulnerable library: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html,/vendors/jquery.easy-pie-chart/node_modules/policyfile/doc/index.html,/vendors/Chart.js/node_modules/policyfile/doc/index.html

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)
jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html

Path to vulnerable library: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html,/vendors/animate.css/node_modules/js-base64/.attic/test-moment/index.html,/vendors/select2/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap-daterangepicker/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)
jquery-3.3.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js

Path to dependency file: /vendors/bootstrap-daterangepicker/demo.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/demo.html

Dependency Hierarchy:

  • jquery-3.3.1.js (Vulnerable Library)
jquery-2.2.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js

Path to dependency file: /production/general_elements.html

Path to vulnerable library: /production/../vendors/jquery/dist/jquery.min.js

Dependency Hierarchy:

  • jquery-2.2.4.min.js (Vulnerable Library)
jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Path to vulnerable library: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)
jquery-1.9.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.min.js

Path to dependency file: /production/form_validation.html

Path to vulnerable library: /production/form_validation.html,/vendors/validator/index.html,/vendors/flot.orderbars/examples/js/vendor/jquery-1.9.1.min.js

Dependency Hierarchy:

  • jquery-1.9.1.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/index.html

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/jquery.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)
jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/jquery.min.js,/vendors/jqvmap/examples/greece.html,/vendors/echarts/test/lib/jquery.min.js,/vendors/echarts/test/./lib/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.3.min.js (Vulnerable Library)
jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: /vendors/starrr/index.html

Path to vulnerable library: /vendors/starrr/index.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)
jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • jquery-1.11.0.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html,/vendors/jszip/node_modules/vm-browserify/example/run/index.html,/vendors/echarts/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/vendors/select2/node_modules/tap/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)
jquery-2.2.4.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-2.2.4.tgz (Vulnerable Library)
jquery-1.11.3.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-1.11.3.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-1.11.3.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2018-20190 (Medium) detected in multiple libraries

CVE-2018-20190 - Medium Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, node-sass-3.13.1.tgz, proyector-movilproyector-movil-windows, opennmsopennms-source-24.1.2-1, libsass3.3.6

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)
node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-17

Fix Resolution: 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2017-16042 (High) detected in growl-1.8.1.tgz, growl-1.10.0.tgz

CVE-2017-16042 - High Severity Vulnerability

Vulnerable Libraries - growl-1.8.1.tgz, growl-1.10.0.tgz

growl-1.8.1.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.8.1.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/growl/package.json

Dependency Hierarchy:

  • grunt-mocha-0.4.15.tgz (Root Library)
    • mocha-1.21.5.tgz
      • growl-1.8.1.tgz (Vulnerable Library)
growl-1.10.0.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.10.0.tgz

Path to dependency file: /vendors/DateJS/package.json

Path to vulnerable library: /vendors/DateJS/node_modules/growl/package.json

Dependency Hierarchy:

  • jasmine-node-2.0.1.tgz (Root Library)
    • jasmine-growl-reporter-1.0.3.tgz
      • growl-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-06-04

Fix Resolution (growl): 1.10.2

Direct dependency fix Resolution (grunt-mocha): 1.0.3

Step up your Open Source Security Game with Mend here

CVE-2018-11695 (High) detected in node-sass-3.13.1.tgz, libsass3.3.6

CVE-2018-11695 - High Severity Vulnerability

Vulnerable Libraries - node-sass-3.13.1.tgz, libsass3.3.6

node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json,/vendors/bootstrap-daterangepicker/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: 4.9.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358 (Medium) detected in multiple libraries

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-3.3.1.slim.min.js, jquery-2.1.1.min.js, jquery-1.7.2.min.js, jquery-1.6.2.js, jquery-1.8.3.js, jquery-1.11.2.min.js, jquery-1.11.1.min.js, jquery-2.1.4.min.js, jquery-3.3.1.js, jquery-2.2.4.min.js, jquery-2.1.3.min.js, jquery-1.8.2.min.js, jquery-1.9.1.min.js, jquery-1.9.1.js, jquery-1.3.2.min.js, jquery-1.11.3.min.js, jquery-1.11.1.js, jquery-1.11.0.min.js, jquery-3.3.1.tgz, jquery-2.2.4.tgz, jquery-1.11.3.tgz

jquery-3.3.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js

Path to dependency file: /vendors/bootstrap-daterangepicker/website/index.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/website/index.html

Dependency Hierarchy:

  • jquery-3.3.1.slim.min.js (Vulnerable Library)
jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)
jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: /vendors/gauge.js/index.html

Path to vulnerable library: /vendors/gauge.js/index.html,/vendors/switchery/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)
jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/index.html

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/morris.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/starrr/node_modules/qs/test/browser/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/select2/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/Chart.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/switchery/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

  • jquery-1.6.2.js (Vulnerable Library)
jquery-1.8.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js

Path to dependency file: /vendors/flot/examples/fill-types/index.html

Path to vulnerable library: /vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/series-toggle/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/selection/../../source/jquery.js,/vendors/flot/flot-2.1.3/package/node_modules/webcharts-development-settings/benchmark-infrastructure/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time-zones/../../source/jquery.js,/vendors/Flot/examples/interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/annotating/../../source/jquery.js,/vendors/Flot/examples/threshold/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/threshold/../../source/jquery.js,/vendors/Flot/examples/selection/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-toggle/../../source/jquery.js,/vendors/Flot/examples/canvas/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/stacking/../../source/jquery.js,/vendors/Flot/examples/tracking/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-errorbars/../../source/jquery.js,/vendors/Flot/examples/image/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/Flot/examples/basic-options/../../jquery.js,/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/tracking/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/visitors/../../source/jquery.js,/vendors/Flot/examples/zooming/../../jquery.js,/vendors/Flot/examples/annotating/../../jquery.js,/vendors/Flot/examples/basic-usage/../../jquery.js,/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/Flot/examples/series-pie/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/percentiles/../../source/jquery.js,/vendors/Flot/examples/symbols/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-usage/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time/../../source/jquery.js,/vendors/Flot/examples/axes-multiple/../../jquery.js,/vendors/Flot/examples/navigate/../../jquery.js,/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/Flot/examples/axes-time/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-interacting/../../source/jquery.js,/vendors/Flot/examples/categories/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigate/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/Flot/examples/ajax/../../jquery.js,/vendors/Flot/examples/axes-interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/categories/../../source/jquery.js,/vendors/Flot/examples/percentiles/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/zooming/../../source/jquery.js,/vendors/Flot/examples/realtime/../../jquery.js,/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/ajax/../../source/jquery.js,/vendors/Flot/examples/series-errorbars/../../jquery.js,/vendors/Flot/examples/series-types/../../jquery.js,/vendors/Flot/examples/resize/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/visitors/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/symbols/../../source/jquery.js,/vendors/Flot/examples/stacking/../../jquery.js,/vendors/Flot/examples/axes-time-zones/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/resize/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-multiple/../../source/jquery.js,/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/realtime/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-types/../../source/jquery.js,/vendors/Flot/examples/../jquery.js,/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/interacting/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-pie/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-options/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/image/../../source/jquery.js

Dependency Hierarchy:

  • jquery-1.8.3.js (Vulnerable Library)
jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /vendors/nprogress/index.html

Path to vulnerable library: /vendors/nprogress/index.html

Dependency Hierarchy:

  • jquery-1.11.2.min.js (Vulnerable Library)
jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html

Path to vulnerable library: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html,/vendors/jquery.easy-pie-chart/node_modules/policyfile/doc/index.html,/vendors/Chart.js/node_modules/policyfile/doc/index.html

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)
jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html

Path to vulnerable library: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html,/vendors/animate.css/node_modules/js-base64/.attic/test-moment/index.html,/vendors/select2/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap-daterangepicker/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)
jquery-3.3.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js

Path to dependency file: /vendors/bootstrap-daterangepicker/demo.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/demo.html

Dependency Hierarchy:

  • jquery-3.3.1.js (Vulnerable Library)
jquery-2.2.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js

Path to dependency file: /production/general_elements.html

Path to vulnerable library: /production/../vendors/jquery/dist/jquery.min.js

Dependency Hierarchy:

  • jquery-2.2.4.min.js (Vulnerable Library)
jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Path to vulnerable library: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)
jquery-1.9.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.min.js

Path to dependency file: /production/form_validation.html

Path to vulnerable library: /production/form_validation.html,/vendors/validator/index.html,/vendors/flot.orderbars/examples/js/vendor/jquery-1.9.1.min.js

Dependency Hierarchy:

  • jquery-1.9.1.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/index.html

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/jquery.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)
jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/temp_tests.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jszip/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/starrr/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/DateJS/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jqvmap/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jquery.easy-pie-chart/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/select2/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/devbridge-autocomplete/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/morris.js/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)
jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/jquery.min.js,/vendors/jqvmap/examples/greece.html,/vendors/echarts/test/lib/jquery.min.js,/vendors/echarts/test/./lib/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.3.min.js (Vulnerable Library)
jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: /vendors/starrr/index.html

Path to vulnerable library: /vendors/starrr/index.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)
jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • jquery-1.11.0.min.js (Vulnerable Library)
jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)
jquery-2.2.4.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-2.2.4.tgz (Vulnerable Library)
jquery-1.11.3.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-1.11.3.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-1.11.3.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2018-19827 (High) detected in node-sass-4.11.0.tgz, opennmsopennms-source-24.1.2-1

CVE-2018-19827 - High Severity Vulnerability

Vulnerable Libraries - node-sass-4.11.0.tgz, opennmsopennms-source-24.1.2-1

node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Path to dependency file: /vendors/bootstrap/package.json

Path to vulnerable library: /vendors/bootstrap/node_modules/node-sass/package.json

Dependency Hierarchy:

  • node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-12-03

Fix Resolution: 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2019-1010266 (Medium) detected in multiple libraries

CVE-2019-1010266 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-1.2.1.tgz, lodash-1.3.1.tgz, lodash-3.10.1.tgz, lodash-3.7.0.tgz, lodash-2.4.2.tgz, lodash-2.2.1.tgz, lodash-4.6.1.tgz, lodash-1.0.2.tgz, lodash-4.0.1.tgz, lodash-3.2.0.tgz, lodash-0.9.2.tgz

lodash-1.2.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.2.1.tgz

Path to dependency file: /vendors/morris.js/package.json

Path to vulnerable library: /vendors/morris.js/node_modules/lodash/package.json

Dependency Hierarchy:

  • bower-1.2.8.tgz (Root Library)
    • inquirer-0.3.5.tgz
      • lodash-1.2.1.tgz (Vulnerable Library)
lodash-1.3.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.3.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/resolve-dep/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • resolve-dep-0.1.3.tgz
      • lodash-1.3.1.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /vendors/cropper/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/karma/node_modules/lodash/package.json

Dependency Hierarchy:

  • karma-0.12.37.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-3.7.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Path to dependency file: /vendors/bootstrap-wysiwyg/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • jshint-2.8.0.tgz (Root Library)
    • lodash-3.7.0.tgz (Vulnerable Library)
lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json,/vendors/Chart.js/node_modules/gulp-jshint/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-jasmine-0.8.2.tgz (Root Library)
    • lodash-2.4.2.tgz (Vulnerable Library)
lodash-2.2.1.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.2.1.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/sort-object/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-readme-0.4.5.tgz (Root Library)
    • assemble-yaml-0.2.1.tgz
      • sort-object-0.0.4.tgz
        • lodash-2.2.1.tgz (Vulnerable Library)
lodash-4.6.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.6.1.tgz

Path to dependency file: /vendors/bootstrap-datetimepicker/package.json

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-jscs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-jscs-3.0.1.tgz (Root Library)
    • lodash-4.6.1.tgz (Vulnerable Library)
lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json,/vendors/jquery.easy-pie-chart/node_modules/globule/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-0.5.3.tgz (Root Library)
    • gaze-0.4.3.tgz
      • globule-0.1.0.tgz
        • lodash-1.0.2.tgz (Vulnerable Library)
lodash-4.0.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.0.1.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json,/vendors/select2/node_modules/grunt-saucelabs/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-saucelabs-8.6.3.tgz (Root Library)
    • lodash-4.0.1.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-contrib-uglify-0.10.1.tgz (Root Library)
    • lodash-3.2.0.tgz (Vulnerable Library)
lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: /vendors/jszip/package.json

Path to vulnerable library: /vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json,/vendors/bootstrap-wysiwyg/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-0.4.5.tgz (Root Library)
    • lodash-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (bower): 1.7.5

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (karma): 2.0.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (jshint): 2.9.6

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-jasmine): 2.0.3

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.1

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-uglify): 0.11.1

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt): 1.0.3

Step up your Open Source Security Game with Mend here

CVE-2018-14042 (Medium) detected in multiple libraries

CVE-2018-14042 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.3.5.min.js, bootstrap.3.3.0.nupkg, bootstrap-3.3.6.min.js, bootstrap-3.3.1.min.js, bootstrap-4.1.0.min.js

bootstrap-3.3.5.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • bootstrap-3.3.5.min.js (Vulnerable Library)
bootstrap.3.3.0.nupkg

Sleek, intuitive, and powerful mobile first front-end framework for faster and easier web developmen...

Library home page: https://api.nuget.org/packages/bootstrap.3.3.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Dependency Hierarchy:

  • bootstrap.3.3.0.nupkg (Vulnerable Library)
bootstrap-3.3.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/bootstrap.min.js

Dependency Hierarchy:

  • bootstrap-3.3.6.min.js (Vulnerable Library)
bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • bootstrap-3.3.1.min.js (Vulnerable Library)
bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /vendors/bootstrap-daterangepicker/website/index.html

Path to vulnerable library: /vendors/bootstrap-daterangepicker/website/index.html

Dependency Hierarchy:

  • bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

CVE-2017-16119 (High) detected in fresh-0.3.0.tgz, fresh-0.2.0.tgz

CVE-2017-16119 - High Severity Vulnerability

Vulnerable Libraries - fresh-0.3.0.tgz, fresh-0.2.0.tgz

fresh-0.3.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz

Path to dependency file: /vendors/jquery.easy-pie-chart/package.json

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/fresh/package.json,/vendors/jquery.easy-pie-chart/node_modules/fresh/package.json,/vendors/jquery.easy-pie-chart/node_modules/fresh/package.json

Dependency Hierarchy:

  • karma-0.12.37.tgz (Root Library)
    • connect-2.30.2.tgz
      • fresh-0.3.0.tgz (Vulnerable Library)
fresh-0.2.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.2.0.tgz

Path to dependency file: /vendors/DateJS/package.json

Path to vulnerable library: /vendors/DateJS/node_modules/fresh/package.json

Dependency Hierarchy:

  • grunt-contrib-connect-0.7.1.tgz (Root Library)
    • connect-2.13.1.tgz
      • fresh-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (karma): 0.13.0

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (grunt-contrib-connect): 0.11.0

Step up your Open Source Security Game with Mend here

CVE-2016-1000232 (Medium) detected in tough-cookie-2.2.2.tgz, tough-cookie-0.12.1.tgz

CVE-2016-1000232 - Medium Severity Vulnerability

Vulnerable Libraries - tough-cookie-2.2.2.tgz, tough-cookie-0.12.1.tgz

tough-cookie-2.2.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz

Path to dependency file: /vendors/select2/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json,/vendors/jqvmap/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • grunt-mocha-0.4.15.tgz (Root Library)
    • grunt-lib-phantomjs-0.7.1.tgz
      • phantomjs-1.9.20.tgz
        • request-2.67.0.tgz
          • tough-cookie-2.2.2.tgz (Vulnerable Library)
tough-cookie-0.12.1.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-0.12.1.tgz

Path to dependency file: /vendors/flot/flot-2.1.3/package/package.json

Path to vulnerable library: /vendors/flot/flot-2.1.3/package/node_modules/insight/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • karma-jasmine-jquery-0.1.1.tgz (Root Library)
    • bower-installer-0.8.4.tgz
      • bower-1.3.12.tgz
        • insight-0.4.3.tgz
          • tough-cookie-0.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

Publish Date: 2018-09-05

URL: CVE-2016-1000232

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/130

Release Date: 2018-09-05

Fix Resolution (tough-cookie): 2.3.0

Direct dependency fix Resolution (grunt-mocha): 1.0.2

Step up your Open Source Security Game with Mend here

CVE-2015-9251 (Medium) detected in multiple libraries

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.4.3.min.js, jquery-2.1.1.min.js, jquery-1.7.2.min.js, jquery-1.6.2.js, jquery-1.9.0.min.js, jquery-1.8.3.js, jquery-1.11.2.min.js, jquery-1.11.1.min.js, jquery-2.1.4.min.js, jquery-2.2.4.min.js, jquery-2.1.3.min.js, jquery-1.8.2.min.js, jquery-1.9.1.min.js, jquery-1.9.1.js, jquery-1.3.2.min.js, jquery-1.11.3.min.js, jquery-1.11.1.js, jquery-1.11.0.min.js, jquery-1.7.1.min.js, jquery-1.8.1.min.js, jquery-2.2.4.tgz, jquery-1.11.3.tgz

jquery-1.4.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js

Path to dependency file: /vendors/transitionize/node_modules/superagent/docs/head.html

Path to vulnerable library: /vendors/transitionize/node_modules/superagent/docs/head.html,/vendors/switchery/node_modules/superagent/docs/head.html

Dependency Hierarchy:

  • jquery-1.4.3.min.js (Vulnerable Library)
jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/docs/theme/base.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)
jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: /vendors/gauge.js/index.html

Path to vulnerable library: /vendors/gauge.js/index.html,/vendors/switchery/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)
jquery-1.6.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.6.2/jquery.js

Path to dependency file: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/index.html

Path to vulnerable library: /vendors/jquery.easy-pie-chart/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/morris.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/starrr/node_modules/qs/test/browser/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/select2/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js,/vendors/Chart.js/node_modules/tiny-lr/node_modules/qs/test/browser/jquery.js,/vendors/switchery/node_modules/tiny-lr-fork/node_modules/qs/test/browser/jquery.js

Dependency Hierarchy:

  • jquery-1.6.2.js (Vulnerable Library)
jquery-1.9.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.0/jquery.min.js

Path to dependency file: /vendors/jquery-knob/index.html

Path to vulnerable library: /vendors/jquery-knob/index.html

Dependency Hierarchy:

  • jquery-1.9.0.min.js (Vulnerable Library)
jquery-1.8.3.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js

Path to dependency file: /vendors/flot/examples/fill-types/index.html

Path to vulnerable library: /vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/series-toggle/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/selection/../../source/jquery.js,/vendors/flot/flot-2.1.3/package/node_modules/webcharts-development-settings/benchmark-infrastructure/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time-zones/../../source/jquery.js,/vendors/Flot/examples/interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/annotating/../../source/jquery.js,/vendors/Flot/examples/threshold/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/threshold/../../source/jquery.js,/vendors/Flot/examples/selection/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-toggle/../../source/jquery.js,/vendors/Flot/examples/canvas/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/stacking/../../source/jquery.js,/vendors/Flot/examples/tracking/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-errorbars/../../source/jquery.js,/vendors/Flot/examples/image/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/Flot/examples/basic-options/../../jquery.js,/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/tracking/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/visitors/../../source/jquery.js,/vendors/Flot/examples/zooming/../../jquery.js,/vendors/Flot/examples/annotating/../../jquery.js,/vendors/Flot/examples/basic-usage/../../jquery.js,/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/log-scale/../../source/jquery.js,/vendors/Flot/examples/series-pie/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-labels/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/percentiles/../../source/jquery.js,/vendors/Flot/examples/symbols/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-usage/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-time/../../source/jquery.js,/vendors/Flot/examples/axes-multiple/../../jquery.js,/vendors/Flot/examples/navigate/../../jquery.js,/vendors/flot/examples/axes-tickLabels/../../source/jquery.js,/vendors/Flot/examples/axes-time/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-interacting/../../source/jquery.js,/vendors/Flot/examples/categories/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigate/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/Flot/examples/ajax/../../jquery.js,/vendors/Flot/examples/axes-interacting/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/categories/../../source/jquery.js,/vendors/Flot/examples/percentiles/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/zooming/../../source/jquery.js,/vendors/Flot/examples/realtime/../../jquery.js,/vendors/flot/examples/navigateTouch/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/ajax/../../source/jquery.js,/vendors/Flot/examples/series-errorbars/../../jquery.js,/vendors/Flot/examples/series-types/../../jquery.js,/vendors/Flot/examples/resize/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/fill-types/../../source/jquery.js,/vendors/Flot/examples/visitors/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/symbols/../../source/jquery.js,/vendors/Flot/examples/stacking/../../jquery.js,/vendors/Flot/examples/axes-time-zones/../../jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/resize/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/axes-multiple/../../source/jquery.js,/vendors/flot/examples/axes-autoscaling/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/realtime/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-types/../../source/jquery.js,/vendors/Flot/examples/../jquery.js,/vendors/flot/examples/plot-legend/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/interacting/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/series-pie/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/basic-options/../../source/jquery.js,/vendors/flot.curvedlines/vendors/flot/examples/image/../../source/jquery.js

Dependency Hierarchy:

  • jquery-1.8.3.js (Vulnerable Library)
jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /vendors/nprogress/index.html

Path to vulnerable library: /vendors/nprogress/index.html

Dependency Hierarchy:

  • jquery-1.11.2.min.js (Vulnerable Library)
jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html

Path to vulnerable library: /vendors/select2/node_modules/q-io/node_modules/qs/support/expresso/docs/api.html,/vendors/jquery.easy-pie-chart/node_modules/policyfile/doc/index.html,/vendors/Chart.js/node_modules/policyfile/doc/index.html

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)
jquery-2.1.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js

Path to dependency file: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html

Path to vulnerable library: /vendors/cropper/node_modules/js-base64/.attic/test-moment/index.html,/vendors/animate.css/node_modules/js-base64/.attic/test-moment/index.html,/vendors/select2/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap-daterangepicker/node_modules/js-base64/.attic/test-moment/index.html,/vendors/bootstrap/node_modules/js-base64/test/index.html

Dependency Hierarchy:

  • jquery-2.1.4.min.js (Vulnerable Library)
jquery-2.2.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js

Path to dependency file: /production/general_elements.html

Path to vulnerable library: /production/../vendors/jquery/dist/jquery.min.js

Dependency Hierarchy:

  • jquery-2.2.4.min.js (Vulnerable Library)
jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Path to vulnerable library: /vendors/Chart.js/samples/AnimationCallbacks/progress-bar.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Path to vulnerable library: /vendors/bootstrap/node_modules/errors/doc/html/errors.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)
jquery-1.9.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.min.js

Path to dependency file: /production/form_validation.html

Path to vulnerable library: /production/form_validation.html,/vendors/validator/index.html,/vendors/flot.orderbars/examples/js/vendor/jquery-1.9.1.min.js

Dependency Hierarchy:

  • jquery-1.9.1.min.js (Vulnerable Library)
jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/index.html

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/src/sizzle/test/jquery.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)
jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/temp_tests.html

Path to vulnerable library: /vendors/bootstrap-datetimepicker/node_modules/grunt-nuget/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jszip/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/starrr/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/DateJS/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jqvmap/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/bootstrap-wysiwyg/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/jquery.easy-pie-chart/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/select2/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/devbridge-autocomplete/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/vendors/morris.js/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)
jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /docs/index.html

Path to vulnerable library: /docs/js/jquery.min.js,/vendors/jqvmap/examples/greece.html,/vendors/echarts/test/lib/jquery.min.js,/vendors/echarts/test/./lib/jquery.min.js

Dependency Hierarchy:

  • jquery-1.11.3.min.js (Vulnerable Library)
jquery-1.11.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.js

Path to dependency file: /vendors/starrr/index.html

Path to vulnerable library: /vendors/starrr/index.html

Dependency Hierarchy:

  • jquery-1.11.1.js (Vulnerable Library)
jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to dependency file: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Path to vulnerable library: /vendors/bootstrap-wysiwyg/examples/clear-formatting.html

Dependency Hierarchy:

  • jquery-1.11.0.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /vendors/Chart.js/node_modules/vm-browserify/example/run/index.html,/vendors/jszip/node_modules/vm-browserify/example/run/index.html,/vendors/echarts/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /vendors/morris.js/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/redeyed/examples/browser/index.html,/vendors/flot/flot-2.1.3/package/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/vendors/select2/node_modules/tap/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)
jquery-2.2.4.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-2.2.4.tgz

Path to dependency file: /vendors/Chart.js/package.json

Path to vulnerable library: /vendors/Chart.js/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-2.2.4.tgz (Vulnerable Library)
jquery-1.11.3.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-1.11.3.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-1.11.3.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2016-4055 (Medium) detected in moment.js.2.9.0.nupkg, moment-2.0.0.tgz

CVE-2016-4055 - Medium Severity Vulnerability

Vulnerable Libraries - moment.js.2.9.0.nupkg, moment-2.0.0.tgz

moment.js.2.9.0.nupkg

A lightweight javascript date library for parsing, manipulating, and formatting dates.

Library home page: https://api.nuget.org/packages/moment.js.2.9.0.nupkg

Path to dependency file: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec

Path to vulnerable library: /vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.CSS.nuspec,/vendors/bootstrap-datetimepicker/src/nuget/Bootstrap.v3.Datetimepicker.nuspec

Dependency Hierarchy:

  • moment.js.2.9.0.nupkg (Vulnerable Library)
moment-2.0.0.tgz

Parse, manipulate, and display dates.

Library home page: https://registry.npmjs.org/moment/-/moment-2.0.0.tgz

Path to dependency file: /vendors/jqvmap/package.json

Path to vulnerable library: /vendors/jqvmap/node_modules/moment/package.json

Dependency Hierarchy:

  • grunt-changelog-0.2.2.tgz (Root Library)
    • moment-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 0736072b46adcf2ceef588bb8660b4851929bc43

Vulnerability Details

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2016-4055

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-87vv-r9j6-g5qv

Release Date: 2017-01-23

Fix Resolution (moment): 2.11.2

Direct dependency fix Resolution (grunt-changelog): 0.3.2

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.