Customizable JavaScript data validator.
Home Page: https://pustovitdmytro.github.io/cottus/
License: MIT License
๐ป My Github account statistics:
๐ข I'm currently working at the WebbyLab
๐ซ How to reach me:
![lalaps[bot] avatar](https://avatars.githubusercontent.com/u/21958847?v=4 "lalaps[bot]")
![lgtm-com[bot] avatar](https://avatars.githubusercontent.com/in/17324?v=4 "lgtm-com[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Vulnerable Library - semver-regex-3.1.3.tgzRegular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (semantic-release): 19.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2218
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5/
Release Date: 2022-06-27
Fix Resolution: parse-url - 6.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - parse-link-header-1.0.1.tgzParses a link header and returns paging information for each contained link.
Library home page: https://registry.npmjs.org/parse-link-header/-/parse-link-header-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-link-header/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
Publish Date: 2021-12-24
URL: CVE-2021-23490
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23490
Release Date: 2021-12-24
Fix Resolution: parse-link-header - 2.0.0
Step up your Open Source Security Game with WhiteSource here
fix path test
Vulnerable Library - semantic-release-19.0.2.tgzAutomated semver compliant package publishing
Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-19.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semantic-release/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with encodeURI when included in a URL are already masked properly.
Publish Date: 2022-06-09
URL: CVE-2022-31051
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-x2pg-mjhr-2m5x
Release Date: 2022-06-09
Fix Resolution: 19.0.3
Step up your Open Source Security Game with Mend here
This issue provides visibility into Lalaps updates and their statuses.
decode-uri-component vulnerable to Denial of Service (DoS)
Library: decode-uri-component
Affected versions: <=0.2.0
Severity: low
Root Libraries:
minimatch ReDoS vulnerability
Library: minimatch
Affected versions: <3.0.5
Severity: high
โ๏ธ #58
โ๏ธ #52
Root Libraries:
Authorization Bypass in parse-path
Library: parse-path
Affected versions: <5.0.0
Severity: high
โ๏ธ #58
โ๏ธ #52
Root Libraries:
parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing
Library: parse-url
Affected versions: <8.1.0
Severity: moderate
โ๏ธ #58
โ๏ธ #52
Root Libraries:
Last Updated: 01 Dec 2022, at 01:10 UTC
Vulnerable Library - npm-8.4.1.tgza package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-8.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
Publish Date: 2022-06-13
URL: CVE-2022-29244
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hj9c-8jmm-8c52
Release Date: 2022-06-13
Fix Resolution (npm): 8.11.0
Direct dependency fix Resolution (semantic-release): 19.0.3
Step up your Open Source Security Game with Mend here
Issue Description
cron rule triggers NOT_CRON error on empty input
Please follow the general troubleshooting steps first:
Additional context
Use in assembler
Vulnerable Library - jquery-1.8.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: cottus/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - follow-redirects-1.14.4.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (8.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution: follow-redirects - v1.14.7
Step up your Open Source Security Game with WhiteSource here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@babel/cli, @babel/core, @babel/node, @babel/plugin-proposal-class-properties, @babel/plugin-proposal-decorators, @babel/plugin-proposal-object-rest-spread, @babel/plugin-proposal-optional-chaining, @babel/preset-env, @babel/runtime, @commitlint/cli, @commitlint/lint, @semantic-release/changelog, chai, chance, code-chronicle, danger, eslint, eslint-config-incredible, eslint-plugin-censor, eslint-plugin-import, eslint-plugin-mocha, eslint-plugin-promise, eslint-plugin-regexp, eslint-plugin-security, eslint-plugin-sonarjs, fs-extra, jscpd, lockfile-lint, mocha, mocha-junit-reporter, node-package-tester, semantic-release)@commitlint/cli, @commitlint/lint, babel-plugin-module-resolver, conventional-changelog-eslint, eslint-plugin-markdown, eslint-plugin-unicorn, fs-extra, husky, mocha, semantic-release, uuid).github/workflows/codeql.yml
actions/checkout v3github/codeql-action v2github/codeql-action v2github/codeql-action v2.github/workflows/npt.yml
actions/checkout v2actions/setup-node v2actions/setup-node v2
package.json
myrmidon 1.7.2@babel/cli ^7.16.8@babel/core ^7.16.12@babel/node ^7.16.8@babel/plugin-proposal-class-properties ^7.16.7@babel/plugin-proposal-decorators ^7.16.7@babel/plugin-proposal-object-rest-spread ^7.16.7@babel/plugin-proposal-optional-chaining ^7.16.7@babel/polyfill ^7.12.1@babel/preset-env ^7.16.11@babel/runtime ^7.16.7@commitlint/cli ^16.1.0@commitlint/lint ^16.0.0@semantic-release/changelog ^6.0.1@semantic-release/git ^10.0.1babel-plugin-module-resolver ^4.1.0chai ^4.3.6chance ^1.1.8code-chronicle ^1.5.1conventional-changelog-eslint ^3.0.9coveralls ^3.1.1danger ^11.2.3eslint ^8.8.0eslint-config-incredible ^2.4.1eslint-plugin-censor ^1.5.2eslint-plugin-import ^2.25.4eslint-plugin-markdown ^2.2.1eslint-plugin-mocha ^10.0.3eslint-plugin-no-secrets ^0.8.9eslint-plugin-node ^11.1.0eslint-plugin-promise ^6.0.0eslint-plugin-regexp ^1.5.1eslint-plugin-scanjs-rules ^0.2.1eslint-plugin-security ^1.4.0eslint-plugin-sonarjs ^0.11.0eslint-plugin-unicorn ^40.1.0fs-extra ^10.0.0husky ^7.0.4jscpd ^3.4.5lockfile-lint ^4.6.2mocha ^9.2.0mocha-junit-reporter ^2.0.2node-package-tester ^1.3.3nyc ^15.1.0semantic-release ^19.0.3semantic-release-telegram ^1.6.2uuid ^8.3.2node >=10
docs/requirements.txt
jinja2 ==3.0.3Markdown <3.2
Vulnerable Library - npm-7.24.2.tgza package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-7.24.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/package.json
Dependency Hierarchy:
Found in HEAD commit: 8f640ed14f71e2046729c0b4210ab5a3591a2681
Found in base branch: master
Vulnerability Details
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
Publish Date: 2021-11-13
URL: CVE-2021-43616
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43616
Release Date: 2021-11-13
Fix Resolution: npm - 8.1.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-0722
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226
Release Date: 2022-06-27
Fix Resolution: parse-url - 6.0.1
Step up your Open Source Security Game with Mend here
Check npt actions
Vulnerable Library - axios-0.21.4.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: axios - v0.26.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.8.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: cottus/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - parse-path-4.0.3.tgzParse paths (local paths, urls: ssh/git/etc)
Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-path/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
Publish Date: 2022-06-28
URL: CVE-2022-0624
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624
Release Date: 2022-06-28
Fix Resolution: parse-path - 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - ansi-regex-5.0.0.tgz, ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (semantic-release): 19.0.3
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (semantic-release): 19.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - jquery-1.8.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: cottus/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-28
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with WhiteSource here
Issue Description
Errors default views not includes messages
Please follow the general troubleshooting steps first:
Environment:
Vulnerable Library - jsonpointer-4.1.0.tgzSimple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonpointer/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution: jsonpointer - 5.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - glob-parent-5.1.2.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (@babel/cli): 7.17.3
Step up your Open Source Security Game with Mend here
Add ability to use async rules. All build-in rules remain sync
Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2217
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b/
Release Date: 2022-06-27
Fix Resolution: parse-url - 6.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - parse-url-6.0.0.tgzAn advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2216
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1/
Release Date: 2022-06-27
Fix Resolution: parse-url - 6.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-fetch-2.6.1.tgzA light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in HEAD commit: 07be8a90cdfacbde7b0e910f63a6c66745da327f
Found in base branch: master
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.8.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: cottus/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
new Cottus({ref: Symbol("ref")})
Add new rules:
1. rsa private key
2. time_unit
3. integer
4. boolean
5.url
6. os_path
7. email
8. port
9. host
10. one_of
11. cron
12. string
14. default
15. list_of
16. nested_object
19. uuid
Please follow the general troubleshooting steps first:
Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
Found in HEAD commit: 8f640ed14f71e2046729c0b4210ab5a3591a2681
Found in base branch: master
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution: json-schema - 0.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.8.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: cottus/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
Found in HEAD commit: 0888eee49d490c03a2d773287f1270e8a617d8ca
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.