custom_agile_todo_frontend's Issues
CVE-2020-36049 (High) detected in socket.io-parser-3.2.0.tgz
CVE-2020-36049 - High Severity Vulnerability
Vulnerable Library - socket.io-parser-3.2.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- ❌ socket.io-parser-3.2.0.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36049
Release Date: 2021-01-08
Fix Resolution: socket.io-parser - 3.4.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7693 (Medium) detected in sockjs-0.3.19.tgz
CVE-2020-7693 - Medium Severity Vulnerability
Vulnerable Library - sockjs-0.3.19.tgz
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/sockjs/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- ❌ sockjs-0.3.19.tgz (Vulnerable Library)
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: sockjs/sockjs-node#265
Release Date: 2020-07-09
Fix Resolution: sockjs - 0.3.20
Step up your Open Source Security Game with WhiteSource here
CVE-2011-4969 (Medium) detected in jquery-1.4.4.min.js
CVE-2011-4969 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Step up your Open Source Security Game with WhiteSource here
CVE-2020-13822 (High) detected in elliptic-6.5.2.tgz
CVE-2020-13822 - High Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- browserify-sign-4.2.0.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.39.2.tgz
Found in HEAD commit: 4061362d3b073ee26e613c3f203ff7e5f5bc363d
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://github.com/indutny/elliptic/tree/v6.5.3
Release Date: 2020-06-04
Fix Resolution: v6.5.3
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28481 (Medium) detected in socket.io-2.1.1.tgz
CVE-2020-28481 - Medium Severity Vulnerability
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/socket.io/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ socket.io-2.1.1.tgz (Vulnerable Library)
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution: 2.4.0
Step up your Open Source Security Game with WhiteSource here
build-angular-0.803.26.tgz: 30 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - build-angular-0.803.26.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serialize-javascript/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (build-angular version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-0691 | High | 9.8 | url-parse-1.4.7.tgz | Transitive | 0.803.27 | ❌ |
CVE-2022-37601 | High | 9.8 | loader-utils-1.2.3.tgz | Transitive | 0.901.0 | ❌ |
CVE-2022-1650 | High | 9.3 | eventsource-1.0.7.tgz | Transitive | 0.803.27 | ❌ |
CVE-2022-0686 | High | 9.1 | url-parse-1.4.7.tgz | Transitive | 0.803.27 | ❌ |
CVE-2022-46175 | High | 8.8 | detected in multiple dependencies | Transitive | 0.803.27 | ❌ |
CVE-2020-7660 | High | 8.1 | serialize-javascript-2.1.2.tgz | Transitive | 0.803.28 | ❌ |
CVE-2021-43138 | High | 7.8 | async-2.6.3.tgz | Transitive | 0.1000.0 | ❌ |
CVE-2020-13822 | High | 7.7 | elliptic-6.5.2.tgz | Transitive | 0.803.27 | ❌ |
CVE-2022-25858 | High | 7.5 | terser-4.6.3.tgz | Transitive | 0.900.0 | ❌ |
CVE-2020-28469 | High | 7.5 | detected in multiple dependencies | Transitive | 13.0.0 | ❌ |
CVE-2021-33502 | High | 7.5 | normalize-url-1.9.1.tgz | Transitive | N/A* | ❌ |
CVE-2022-24772 | High | 7.5 | node-forge-0.9.0.tgz | Transitive | 13.2.1 | ❌ |
CVE-2022-24771 | High | 7.5 | node-forge-0.9.0.tgz | Transitive | 13.2.1 | ❌ |
CVE-2022-3517 | High | 7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
CVE-2021-23382 | High | 7.5 | postcss-7.0.17.tgz | Transitive | 0.1102.13 | ❌ |
CVE-2022-37603 | High | 7.5 | loader-utils-1.2.3.tgz | Transitive | 13.2.1 | ❌ |
CVE-2020-7720 | High | 7.3 | node-forge-0.9.0.tgz | Transitive | 0.803.27 | ❌ |
CVE-2020-28498 | Medium | 6.8 | elliptic-6.5.2.tgz | Transitive | 0.803.27 | ❌ |
WS-2022-0008 | Medium | 6.6 | node-forge-0.9.0.tgz | Transitive | 13.2.1 | ❌ |
CVE-2022-0122 | Medium | 6.1 | node-forge-0.9.0.tgz | Transitive | 13.2.1 | ❌ |
CVE-2023-28155 | Medium | 6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
WS-2019-0424 | Medium | 5.9 | elliptic-6.5.2.tgz | Transitive | 0.803.27 | ❌ |
CVE-2020-7693 | Medium | 5.3 | sockjs-0.3.19.tgz | Transitive | 0.803.27 | ❌ |
CVE-2022-0512 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 0.803.27 | ❌ |
CVE-2021-3664 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 0.803.27 | ❌ |
CVE-2022-24773 | Medium | 5.3 | node-forge-0.9.0.tgz | Transitive | 13.2.1 | ❌ |
CVE-2021-27515 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 0.803.27 | ❌ |
CVE-2022-0639 | Medium | 5.3 | url-parse-1.4.7.tgz | Transitive | 0.803.27 | ❌ |
CVE-2021-23364 | Medium | 5.3 | detected in multiple dependencies | Transitive | 0.900.0 | ❌ |
CVE-2021-23368 | Medium | 5.3 | postcss-7.0.17.tgz | Transitive | 0.1102.13 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
Partial details (26 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2022-0691
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Library - loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- ❌ loader-utils-1.2.3.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.0
Step up your Open Source Security Game with Mend here
CVE-2022-1650
Vulnerable Library - eventsource-1.0.7.tgz
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eventsource/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ eventsource-1.0.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-0686
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-46175
Vulnerable Libraries - json5-2.1.3.tgz, json5-1.0.1.tgz
json5-2.1.3.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/core/node_modules/json5/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- core-7.8.7.tgz
- ❌ json5-2.1.3.tgz (Vulnerable Library)
- core-7.8.7.tgz
json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- loader-utils-1.2.3.tgz
- ❌ json5-1.0.1.tgz (Vulnerable Library)
- loader-utils-1.2.3.tgz
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2020-7660
Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- copy-webpack-plugin-5.1.1.tgz
- ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)
- copy-webpack-plugin-5.1.1.tgz
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.28
Step up your Open Source Security Game with Mend here
CVE-2021-43138
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- source-map-loader-0.2.4.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- source-map-loader-0.2.4.tgz
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.0
Step up your Open Source Security Game with Mend here
CVE-2020-13822
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- browserify-sign-4.2.0.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.39.2.tgz
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-25858
Vulnerable Library - terser-4.6.3.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- ❌ terser-4.6.3.tgz (Vulnerable Library)
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.900.0
Step up your Open Source Security Game with Mend here
CVE-2020-28469
Vulnerable Libraries - glob-parent-5.1.1.tgz, glob-parent-3.1.0.tgz
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/chokidar/node_modules/glob-parent/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- sass-1.22.9.tgz
- chokidar-3.4.0.tgz
- ❌ glob-parent-5.1.1.tgz (Vulnerable Library)
- chokidar-3.4.0.tgz
- sass-1.22.9.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- copy-webpack-plugin-5.1.1.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
- copy-webpack-plugin-5.1.1.tgz
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-33502
Vulnerable Library - normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- mini-css-extract-plugin-0.8.0.tgz
- ❌ normalize-url-1.9.1.tgz (Vulnerable Library)
- mini-css-extract-plugin-0.8.0.tgz
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-24772
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-24771
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2021-23382
Vulnerable Library - postcss-7.0.17.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- ❌ postcss-7.0.17.tgz (Vulnerable Library)
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1102.13
Step up your Open Source Security Game with Mend here
CVE-2022-37603
Vulnerable Library - loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- ❌ loader-utils-1.2.3.tgz (Vulnerable Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 2.0.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2020-7720
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2020-28498
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- browserify-sign-4.2.0.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.39.2.tgz
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
WS-2022-0008
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-0122
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- less-3.9.0.tgz
- ❌ request-2.88.2.tgz (Vulnerable Library)
- less-3.9.0.tgz
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Step up your Open Source Security Game with Mend here
WS-2019-0424
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- browserify-sign-4.2.0.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.39.2.tgz
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2020-7693
Vulnerable Library - sockjs-0.3.19.tgz
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sockjs/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- ❌ sockjs-0.3.19.tgz (Vulnerable Library)
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-0512
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2021-3664
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- ❌ url-parse-1.4.7.tgz (Vulnerable Library)
- sockjs-client-1.4.0.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-24773
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-0122 (Medium) detected in node-forge-0.9.0.tgz - autoclosed
CVE-2022-0122 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/
Release Date: 2022-01-06
Fix Resolution: forge - v1.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11022 (Medium) detected in jquery-1.7.1.min.js
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/multiplex/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/hapi/html/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express-3.x/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2012-6708 (Medium) detected in jquery-1.4.4.min.js, jquery-1.7.1.min.js
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.4.4.min.js, jquery-1.7.1.min.js
jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/multiplex/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/hapi/html/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express-3.x/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7608 (Medium) detected in yargs-parser-11.1.1.tgz
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Library - yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- protractor-5.4.4.tgz (Root Library)
- yargs-12.0.5.tgz
- ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
- yargs-12.0.5.tgz
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: yargs/yargs-parser@63810ca
Release Date: 2020-06-05
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28502 (High) detected in xmlhttprequest-ssl-1.5.5.tgz
CVE-2020-28502 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- socket.io-client-2.1.1.tgz
- engine.io-client-3.2.1.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.2.1.tgz
- socket.io-client-2.1.1.tgz
- socket.io-2.1.1.tgz
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28502
Release Date: 2021-03-05
Fix Resolution: xmlhttprequest - 1.7.0
Step up your Open Source Security Game with WhiteSource here
jquery-1.4.4.min.js: 4 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2015-9251 | Medium | 6.1 | jquery-1.4.4.min.js | Direct | jQuery - 3.0.0 | ❌ |
CVE-2020-7656 | Medium | 6.1 | jquery-1.4.4.min.js | Direct | jquery - 1.9.0 | ❌ |
CVE-2012-6708 | Medium | 6.1 | jquery-1.4.4.min.js | Direct | jQuery - v1.9.0 | ❌ |
CVE-2011-4969 | Low | 3.7 | jquery-1.4.4.min.js | Direct | 1.6.3 | ❌ |
Details
CVE-2015-9251
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7656
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with Mend here
CVE-2012-6708
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with Mend here
CVE-2011-4969
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
Vulnerability Details
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Step up your Open Source Security Game with Mend here
CVE-2020-7660 (High) detected in serialize-javascript-2.1.2.tgz
CVE-2020-7660 - High Severity Vulnerability
Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- copy-webpack-plugin-5.1.1.tgz
- ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)
- copy-webpack-plugin-5.1.1.tgz
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
WS-2020-0127 (Low) detected in npm-registry-fetch-4.0.4.tgz
WS-2020-0127 - Low Severity Vulnerability
Vulnerable Library - npm-registry-fetch-4.0.4.tgz
Fetch-based http client for use with npm registry APIs
Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-4.0.4.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/npm-registry-fetch/package.json
Dependency Hierarchy:
- cli-8.3.26.tgz (Root Library)
- pacote-9.5.5.tgz
- ❌ npm-registry-fetch-4.0.4.tgz (Vulnerable Library)
- pacote-9.5.5.tgz
Vulnerability Details
npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.
Publish Date: 2020-07-07
URL: WS-2020-0127
CVSS 3 Score Details (3.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1544
Release Date: 2020-07-14
Fix Resolution: npm-registry-fetch - 4.0.5,8.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28498 (Medium) detected in elliptic-6.5.2.tgz
CVE-2020-28498 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- browserify-sign-4.2.0.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.39.2.tgz
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution: v6.5.4
Step up your Open Source Security Game with WhiteSource here
protractor-5.4.4.tgz: 4 vulnerabilities (highest severity is: 7.3)
Vulnerable Library - protractor-5.4.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs-parser/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (protractor version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-48285 | High | 7.3 | jszip-3.4.0.tgz | Transitive | 6.0.0 | ❌ |
CVE-2023-0842 | Medium | 5.5 | xml2js-0.4.23.tgz | Transitive | N/A* | ❌ |
CVE-2021-23413 | Medium | 5.3 | jszip-3.4.0.tgz | Transitive | 6.0.0 | ❌ |
CVE-2020-7608 | Medium | 5.3 | yargs-parser-11.1.1.tgz | Transitive | 7.0.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-48285
Vulnerable Library - jszip-3.4.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jszip/package.json
Dependency Hierarchy:
- protractor-5.4.4.tgz (Root Library)
- selenium-webdriver-3.6.0.tgz
- ❌ jszip-3.4.0.tgz (Vulnerable Library)
- selenium-webdriver-3.6.0.tgz
Vulnerability Details
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
Publish Date: 2023-01-29
URL: CVE-2022-48285
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-29
Fix Resolution (jszip): 3.8.0
Direct dependency fix Resolution (protractor): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-0842
Vulnerable Library - xml2js-0.4.23.tgz
Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Dependency Hierarchy:
- protractor-5.4.4.tgz (Root Library)
- webdriver-manager-12.1.7.tgz
- ❌ xml2js-0.4.23.tgz (Vulnerable Library)
- webdriver-manager-12.1.7.tgz
Vulnerability Details
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Publish Date: 2023-04-05
URL: CVE-2023-0842
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2021-23413
Vulnerable Library - jszip-3.4.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jszip/package.json
Dependency Hierarchy:
- protractor-5.4.4.tgz (Root Library)
- selenium-webdriver-3.6.0.tgz
- ❌ jszip-3.4.0.tgz (Vulnerable Library)
- selenium-webdriver-3.6.0.tgz
Vulnerability Details
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
Publish Date: 2021-07-25
URL: CVE-2021-23413
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: 2021-07-25
Fix Resolution (jszip): 3.7.0
Direct dependency fix Resolution (protractor): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608
Vulnerable Library - yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs-parser/package.json
Dependency Hierarchy:
- protractor-5.4.4.tgz (Root Library)
- yargs-12.0.5.tgz
- ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
- yargs-12.0.5.tgz
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (protractor): 7.0.0
Step up your Open Source Security Game with Mend here
core-8.2.14.tgz: 1 vulnerabilities (highest severity is: 5.4)
Vulnerable Library - core-8.2.14.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-8.2.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@angular/core/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (core version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-4231 | Medium | 5.4 | core-8.2.14.tgz | Direct | 10.2.5 | ❌ |
Details
CVE-2021-4231
Vulnerable Library - core-8.2.14.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-8.2.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@angular/core/package.json
Dependency Hierarchy:
- ❌ core-8.2.14.tgz (Vulnerable Library)
Vulnerability Details
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.
Publish Date: 2022-05-26
URL: CVE-2021-4231
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-26
Fix Resolution: 10.2.5
Step up your Open Source Security Game with Mend here
CVE-2020-7598 (Medium) detected in minimist-0.0.10.tgz
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9251 (Medium) detected in jquery-1.4.4.min.js, jquery-1.7.1.min.js
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.4.4.min.js, jquery-1.7.1.min.js
jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/multiplex/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/hapi/html/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express-3.x/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
karma-4.1.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - karma-4.1.0.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (karma version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-44906 | High | 9.8 | minimist-0.0.10.tgz | Transitive | 5.0.0 | ❌ |
CVE-2021-31597 | High | 9.4 | xmlhttprequest-ssl-1.5.5.tgz | Transitive | 5.0.8 | ❌ |
CVE-2020-28502 | High | 8.1 | xmlhttprequest-ssl-1.5.5.tgz | Transitive | 5.0.8 | ❌ |
WS-2020-0443 | High | 8.1 | socket.io-2.1.1.tgz | Transitive | 5.0.8 | ❌ |
WS-2018-0650 | High | 7.5 | useragent-2.3.0.tgz | Transitive | N/A* | ❌ |
CVE-2020-36048 | High | 7.5 | engine.io-3.2.1.tgz | Transitive | 6.0.0 | ❌ |
CVE-2020-36049 | High | 7.5 | socket.io-parser-3.2.0.tgz | Transitive | 5.0.8 | ❌ |
CVE-2022-38900 | High | 7.5 | decode-uri-component-0.2.0.tgz | Transitive | 4.2.0 | ❌ |
CVE-2020-8203 | High | 7.4 | lodash-4.17.15.tgz | Transitive | 4.2.0 | ❌ |
CVE-2021-23337 | High | 7.2 | lodash-4.17.15.tgz | Transitive | 4.2.0 | ❌ |
CVE-2022-0155 | Medium | 6.5 | follow-redirects-1.11.0.tgz | Transitive | 4.2.0 | ❌ |
CVE-2022-41940 | Medium | 6.5 | engine.io-3.2.1.tgz | Transitive | 6.0.0 | ❌ |
CVE-2022-0437 | Medium | 6.1 | karma-4.1.0.tgz | Direct | 6.3.14 | ❌ |
CVE-2021-23495 | Medium | 6.1 | karma-4.1.0.tgz | Direct | 6.3.16 | ❌ |
CVE-2022-0536 | Medium | 5.9 | follow-redirects-1.11.0.tgz | Transitive | 4.2.0 | ❌ |
CVE-2020-7598 | Medium | 5.6 | minimist-0.0.10.tgz | Transitive | 5.0.0 | ❌ |
CVE-2022-21704 | Medium | 5.5 | log4js-4.5.1.tgz | Transitive | 5.0.8 | ❌ |
CVE-2020-28500 | Medium | 5.3 | lodash-4.17.15.tgz | Transitive | 4.2.0 | ❌ |
CVE-2020-28481 | Medium | 4.3 | socket.io-2.1.1.tgz | Transitive | 5.0.8 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2021-44906
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.2
Direct dependency fix Resolution (karma): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-31597
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- socket.io-client-2.1.1.tgz
- engine.io-client-3.2.1.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.2.1.tgz
- socket.io-client-2.1.1.tgz
- socket.io-2.1.1.tgz
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-28502
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- socket.io-client-2.1.1.tgz
- engine.io-client-3.2.1.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.2.1.tgz
- socket.io-client-2.1.1.tgz
- socket.io-2.1.1.tgz
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
WS-2020-0443
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ socket.io-2.1.1.tgz (Vulnerable Library)
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
WS-2018-0650
Vulnerable Library - useragent-2.3.0.tgz
Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing
Library home page: https://registry.npmjs.org/useragent/-/useragent-2.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/useragent/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ useragent-2.3.0.tgz (Vulnerable Library)
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.
Publish Date: 2018-02-27
URL: WS-2018-0650
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650
Release Date: 2018-02-27
Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with Mend here
CVE-2020-36048
Vulnerable Library - engine.io-3.2.1.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- ❌ engine.io-3.2.1.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-36049
Vulnerable Library - socket.io-parser-3.2.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io-parser/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- ❌ socket.io-parser-3.2.0.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xfhh-g9f5-x4m4
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- braces-2.3.2.tgz
- snapdragon-0.8.2.tgz
- source-map-resolve-0.5.3.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- source-map-resolve-0.5.3.tgz
- snapdragon-0.8.2.tgz
- braces-2.3.2.tgz
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (karma): 4.2.0
Step up your Open Source Security Game with Mend here
CVE-2020-8203
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (karma): 4.2.0
Step up your Open Source Security Game with Mend here
CVE-2021-23337
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (karma): 4.2.0
Step up your Open Source Security Game with Mend here
CVE-2022-0155
Vulnerable Library - follow-redirects-1.11.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.11.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- http-proxy-1.18.1.tgz
- ❌ follow-redirects-1.11.0.tgz (Vulnerable Library)
- http-proxy-1.18.1.tgz
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (karma): 4.2.0
Step up your Open Source Security Game with Mend here
CVE-2022-41940
Vulnerable Library - engine.io-3.2.1.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- ❌ engine.io-3.2.1.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
Vulnerability Details
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Publish Date: 2022-11-22
URL: CVE-2022-41940
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-r7qp-cfhv-p84w
Release Date: 2022-11-22
Fix Resolution (engine.io): 3.6.1
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-0437
Vulnerable Library - karma-4.1.0.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/package.json
Dependency Hierarchy:
- ❌ karma-4.1.0.tgz (Vulnerable Library)
Vulnerability Details
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
Publish Date: 2022-02-05
URL: CVE-2022-0437
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437
Release Date: 2022-02-05
Fix Resolution: 6.3.14
Step up your Open Source Security Game with Mend here
CVE-2021-23495
Vulnerable Library - karma-4.1.0.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/package.json
Dependency Hierarchy:
- ❌ karma-4.1.0.tgz (Vulnerable Library)
Vulnerability Details
The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
Publish Date: 2022-02-25
URL: CVE-2021-23495
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23495
Release Date: 2022-02-25
Fix Resolution: 6.3.16
Step up your Open Source Security Game with Mend here
CVE-2022-0536
Vulnerable Library - follow-redirects-1.11.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.11.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- http-proxy-1.18.1.tgz
- ❌ follow-redirects-1.11.0.tgz (Vulnerable Library)
- http-proxy-1.18.1.tgz
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (karma): 4.2.0
Step up your Open Source Security Game with Mend here
CVE-2020-7598
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (karma): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-21704
Vulnerable Library - log4js-4.5.1.tgz
Port of Log4js to work with node.
Library home page: https://registry.npmjs.org/log4js/-/log4js-4.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/log4js/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ log4js-4.5.1.tgz (Vulnerable Library)
Vulnerability Details
log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
Publish Date: 2022-01-19
URL: CVE-2022-21704
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-82v2-mx6x-wq7q
Release Date: 2022-01-19
Fix Resolution (log4js): 6.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-28500
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (karma): 4.2.0
Step up your Open Source Security Game with Mend here
CVE-2020-28481
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ socket.io-2.1.1.tgz (Vulnerable Library)
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
jquery-1.7.1.min.js: 5 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /node_modules/sockjs/examples/echo/index.html,/node_modules/sockjs/examples/multiplex/index.html,/node_modules/sockjs/examples/hapi/html/index.html,/node_modules/sockjs/examples/express-3.x/index.html,/node_modules/sockjs/examples/express/index.html
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-11023 | Medium | 6.1 | jquery-1.7.1.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
CVE-2020-11022 | Medium | 6.1 | jquery-1.7.1.min.js | Direct | jQuery - 3.5.0 | ❌ |
CVE-2015-9251 | Medium | 6.1 | jquery-1.7.1.min.js | Direct | jQuery - 3.0.0 | ❌ |
CVE-2020-7656 | Medium | 6.1 | jquery-1.7.1.min.js | Direct | jquery - 1.9.0 | ❌ |
CVE-2012-6708 | Medium | 6.1 | jquery-1.7.1.min.js | Direct | jQuery - v1.9.0 | ❌ |
Details
CVE-2020-11023
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /node_modules/sockjs/examples/echo/index.html,/node_modules/sockjs/examples/multiplex/index.html,/node_modules/sockjs/examples/hapi/html/index.html,/node_modules/sockjs/examples/express-3.x/index.html,/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-11022
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /node_modules/sockjs/examples/echo/index.html,/node_modules/sockjs/examples/multiplex/index.html,/node_modules/sockjs/examples/hapi/html/index.html,/node_modules/sockjs/examples/express-3.x/index.html,/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2015-9251
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /node_modules/sockjs/examples/echo/index.html,/node_modules/sockjs/examples/multiplex/index.html,/node_modules/sockjs/examples/hapi/html/index.html,/node_modules/sockjs/examples/express-3.x/index.html,/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7656
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /node_modules/sockjs/examples/echo/index.html,/node_modules/sockjs/examples/multiplex/index.html,/node_modules/sockjs/examples/hapi/html/index.html,/node_modules/sockjs/examples/express-3.x/index.html,/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with Mend here
CVE-2012-6708
Vulnerable Library - jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /node_modules/sockjs/examples/echo/index.html,/node_modules/sockjs/examples/multiplex/index.html,/node_modules/sockjs/examples/hapi/html/index.html,/node_modules/sockjs/examples/express-3.x/index.html,/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with Mend here
CVE-2021-31597 (High) detected in xmlhttprequest-ssl-1.5.5.tgz - autoclosed
CVE-2021-31597 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- socket.io-client-2.1.1.tgz
- engine.io-client-3.2.1.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.2.1.tgz
- socket.io-client-2.1.1.tgz
- socket.io-2.1.1.tgz
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution: xmlhttprequest-ssl - 1.6.1
Step up your Open Source Security Game with WhiteSource here
WS-2019-0424 (Medium) detected in elliptic-6.5.2.tgz
WS-2019-0424 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- ❌ elliptic-6.5.2.tgz (Vulnerable Library)
- browserify-sign-4.2.0.tgz
- crypto-browserify-3.12.0.tgz
- node-libs-browser-2.2.1.tgz
- webpack-4.39.2.tgz
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7656 (Medium) detected in jquery-1.4.4.min.js, jquery-1.7.1.min.js
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.4.4.min.js, jquery-1.7.1.min.js
jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
- ❌ jquery-1.4.4.min.js (Vulnerable Library)
jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/multiplex/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/hapi/html/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express-3.x/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: rails/jquery-rails@8f601cb
Release Date: 2020-05-19
Fix Resolution: jquery-rails - 2.2.0
Step up your Open Source Security Game with WhiteSource here
WS-2020-0443 (High) detected in socket.io-2.1.1.tgz - autoclosed
WS-2020-0443 - High Severity Vulnerability
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ socket.io-2.1.1.tgz (Vulnerable Library)
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution: socket.io - 2.4.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8203 (High) detected in lodash-4.17.15.tgz
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/lodash/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-23
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
CVE-2020-36048 (High) detected in engine.io-3.2.1.tgz
CVE-2020-36048 - High Severity Vulnerability
Vulnerable Library - engine.io-3.2.1.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/engine.io/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- socket.io-2.1.1.tgz
- ❌ engine.io-3.2.1.tgz (Vulnerable Library)
- socket.io-2.1.1.tgz
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution: engine.io - 4.0.0
Step up your Open Source Security Game with WhiteSource here
WS-2020-0070 (High) detected in lodash-4.17.15.tgz - autoclosed
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: /tmp/ws-scm/Custom_Agile_ToDo_frontend/node_modules/lodash/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 48797ed970a2cc6a46d95a16d14741b2022d8c9e
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7720 (High) detected in node-forge-0.9.0.tgz - autoclosed
CVE-2020-7720 - High Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- ❌ node-forge-0.9.0.tgz (Vulnerable Library)
- selfsigned-1.10.7.tgz
- webpack-dev-server-3.9.0.tgz
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md
Release Date: 2020-09-01
Fix Resolution: node-forge - 0.10.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23337 (High) detected in lodash-4.17.15.tgz
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/lodash/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23364 (Medium) detected in browserslist-4.12.0.tgz, browserslist-4.10.0.tgz - autoclosed
CVE-2021-23364 - Medium Severity Vulnerability
Vulnerable Libraries - browserslist-4.12.0.tgz, browserslist-4.10.0.tgz
browserslist-4.12.0.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/compat-data/node_modules/browserslist/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- preset-env-7.8.7.tgz
- compat-data-7.10.1.tgz
- ❌ browserslist-4.12.0.tgz (Vulnerable Library)
- compat-data-7.10.1.tgz
- preset-env-7.8.7.tgz
browserslist-4.10.0.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- ❌ browserslist-4.10.0.tgz (Vulnerable Library)
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11023 (Medium) detected in jquery-3.3.1.slim.min.js, jquery-1.7.1.min.js
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-3.3.1.slim.min.js, jquery-1.7.1.min.js
jquery-3.3.1.slim.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/src/index.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/src/index.html
Dependency Hierarchy:
- ❌ jquery-3.3.1.slim.min.js (Vulnerable Library)
jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/echo/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/multiplex/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/hapi/html/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express-3.x/index.html,Custom_Agile_ToDo_frontend/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
- ❌ jquery-1.7.1.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
cli-8.3.26.tgz: 2 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - cli-8.3.26.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm-registry-fetch/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (cli version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-25881 | High | 7.5 | http-cache-semantics-3.8.1.tgz | Transitive | N/A* | ❌ |
WS-2020-0127 | Medium | 5.3 | npm-registry-fetch-4.0.4.tgz | Transitive | 8.3.27 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-25881
Vulnerable Library - http-cache-semantics-3.8.1.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
- cli-8.3.26.tgz (Root Library)
- pacote-9.5.5.tgz
- make-fetch-happen-5.0.2.tgz
- ❌ http-cache-semantics-3.8.1.tgz (Vulnerable Library)
- make-fetch-happen-5.0.2.tgz
- pacote-9.5.5.tgz
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
WS-2020-0127
Vulnerable Library - npm-registry-fetch-4.0.4.tgz
Fetch-based http client for use with npm registry APIs
Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-4.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm-registry-fetch/package.json
Dependency Hierarchy:
- cli-8.3.26.tgz (Root Library)
- pacote-9.5.5.tgz
- ❌ npm-registry-fetch-4.0.4.tgz (Vulnerable Library)
- pacote-9.5.5.tgz
Vulnerability Details
npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.
Publish Date: 2020-07-07
URL: WS-2020-0127
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1544
Release Date: 2020-07-07
Fix Resolution (npm-registry-fetch): 4.0.5
Direct dependency fix Resolution (@angular/cli): 8.3.27
Step up your Open Source Security Game with Mend here
CVE-2020-28500 (Medium) detected in lodash-4.17.15.tgz
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: Custom_Agile_ToDo_frontend/package.json
Path to vulnerable library: Custom_Agile_ToDo_frontend/node_modules/lodash/package.json
Dependency Hierarchy:
- karma-4.1.0.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
jquery-3.3.1.slim.min.js: 2 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - jquery-3.3.1.slim.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Path to dependency file: /src/index.html
Path to vulnerable library: /src/index.html
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-11023 | Medium | 6.1 | jquery-3.3.1.slim.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
CVE-2019-11358 | Medium | 6.1 | jquery-3.3.1.slim.min.js | Direct | jquery - 3.4.0 | ❌ |
Details
CVE-2020-11023
Vulnerable Library - jquery-3.3.1.slim.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Path to dependency file: /src/index.html
Path to vulnerable library: /src/index.html
Dependency Hierarchy:
- ❌ jquery-3.3.1.slim.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
CVE-2019-11358
Vulnerable Library - jquery-3.3.1.slim.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Path to dependency file: /src/index.html
Path to vulnerable library: /src/index.html
Dependency Hierarchy:
- ❌ jquery-3.3.1.slim.min.js (Vulnerable Library)
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.