tibcosoftware / labs-air Goto Github PK
View Code? Open in Web Editor NEWTIBCO LABS™ Project AIR - Documentation
Home Page: https://tibcosoftware.github.io/labs-air/
License: BSD 3-Clause "New" or "Revised" License
TIBCO LABS™ Project AIR - Documentation
Home Page: https://tibcosoftware.github.io/labs-air/
License: BSD 3-Clause "New" or "Revised" License
kill trees of processes
Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tree-kill/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tree-kill/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tree-kill/package.json
Dependency Hierarchy:
A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
Publish Date: 2019-12-18
URL: CVE-2019-15599
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/701183
Release Date: 2019-12-18
Fix Resolution: tree-kill - 1.2.2
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/hapi/html/index.html,/labs-air/ui/IoTCloudStarter/node_modules/vm-browserify/example/run/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/multiplex/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/echo/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-12-05
URL: WS-2019-0331
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.2
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/344595
Release Date: 2019-04-30
Fix Resolution: v4.4.2
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.5.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
Type: Upgrade version
Origin: broofa/mime@1df903f
Release Date: 2019-04-03
Fix Resolution: 1.4.1,2.0.3
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/hapi/html/index.html,/labs-air/ui/IoTCloudStarter/node_modules/vm-browserify/example/run/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/multiplex/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/echo/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/is-number/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/is-number/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/has-values/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/has-values/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/shallow-clone/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/shallow-clone/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-1.1.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/plugin-error/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/plugin-error/node_modules/kind-of/package.json
Dependency Hierarchy:
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-2.3.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/component-resolver/node_modules/semver/package.json
Dependency Hierarchy:
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8855
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8855
Release Date: 2017-01-23
Fix Resolution: semver (Npm package) - 4.3.2;Npm (NuGet package) - 2.14.14
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-12-05
URL: WS-2019-0332
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
The tar module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.
Publish Date: 2015-11-03
URL: WS-2015-0025
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/57
Release Date: 2015-11-03
Fix Resolution: Update to a version 2.0.0 or greater
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-0.7.4.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16137
Release Date: 2019-06-05
Fix Resolution: 2.6.9,3.1.0
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.5.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
elegant & feature rich browser / node HTTP with a fluent API
Library home page: https://registry.npmjs.org/superagent/-/superagent-0.17.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.
Publish Date: 2018-06-07
URL: CVE-2017-16129
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16129
Release Date: 2019-04-08
Fix Resolution: 3.7.0
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-0.3.6.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/proxy-agent/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
Publish Date: 2018-06-07
URL: CVE-2018-3739
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739
Release Date: 2018-06-07
Fix Resolution: 2.1.1
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/tooltips/custom-points.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/tooltips/custom-points.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/tooltips/custom-points.html
Dependency Hierarchy:
Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html
Path to vulnerable library: /labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html,/labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/combo.html
Dependency Hierarchy:
Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb
Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.
Publish Date: 2016-10-24
URL: WS-2016-0075
Type: Change files
Origin: moment/moment@663f33e
Release Date: 2016-10-24
Fix Resolution: Replace or update the following files: month.js, lt.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js
Path to dependency file: /tmp/ws-scm/labs-air/docs-preview/themes/tibcolabs/layouts/partials/scripts.html
Path to vulnerable library: /labs-air/docs-preview/themes/tibcolabs/layouts/partials/scripts.html
Dependency Hierarchy:
Found in HEAD commit: 7e3ff745e3d3ce709bff2a22ad9d393314e7f1fd
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/unglob/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/sane/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/yargs-parser/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/yargs-parser/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/yargs-parser/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/@angular/compiler-cli/node_modules/yargs-parser/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/@angular/compiler-cli/node_modules/yargs-parser/package.json,/tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/@angular/compiler-cli/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/docs-src/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/docs-preview/node_modules/yargs-parser/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/yargs-parser/package.json
Dependency Hierarchy:
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
flatten a resolved component tree
Library home page: https://registry.npmjs.org/component-flatten/-/component-flatten-1.0.1.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/component-flatten/package.json
Dependency Hierarchy:
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a proto payload.
Publish Date: 2020-02-18
URL: CVE-2019-10794
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10794
Release Date: 2020-02-18
Fix Resolution: 2.0.3
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json,/tmp/ws-scm/labs-air/docs-preview/node_modules/kind-of/package.json
Dependency Hierarchy:
Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.
Publish Date: 2020-03-18
URL: WS-2019-0381
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/kind-of@975c13a
Release Date: 2020-03-18
Fix Resolution: kind-of - 6.0.3
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
Publish Date: 2017-01-23
URL: CVE-2015-8860
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8860
Release Date: 2017-01-23
Fix Resolution: 2.0.0
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/qs/package.json
Dependency Hierarchy:
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tiny-lr-fork/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution: 1.0.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/echo/index.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/sockjs/examples/echo/index.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/sockjs/examples/hapi/html/index.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/sockjs/examples/express-3.x/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/multiplex/index.html,/labs-air/ui/IoTCloudStarter/node_modules/vm-browserify/example/run/index.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/vm-browserify/example/run/index.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/sockjs/examples/multiplex/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express-3.x/index.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/sockjs/examples/express/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/hapi/html/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /labs-air/uiupgrade/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js,/labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Publish Date: 2019-10-23
URL: CVE-2015-9521
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-10-23
Fix Resolution: 2.2.0
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/financial.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/financial.html,/labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/financial.html
Dependency Hierarchy:
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html
Path to vulnerable library: /labs-air/uiupgrade/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/line-point-data.html,/labs-air/ui/IoTCloudStarter/node_modules/chartjs-plugin-labels/bower_components/chart.js/samples/scales/time/combo.html
Dependency Hierarchy:
Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214
Release Date: 2018-03-04
Fix Resolution: 2.19.3
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
A Denial of Service vulnerability found in handlebars 4.x before 4.4.5.While processing specially-crafted templates, the parser may be forced into endless loop. Attackers may exhaust system resources.
Publish Date: 2019-12-01
URL: WS-2019-0318
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2019-12-01
Fix Resolution: handlebars - 4.4.5
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/https-proxy-agent/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
There is a Machine-In-The-Middle vulnerability found in https-proxy-agent before 2.2.3. There is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-12-01
URL: WS-2019-0310
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-12-01
Fix Resolution: https-proxy-agent - 2.2.3
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/optimist/node_modules/minimist/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/set-value@95e9d99
Release Date: 2019-07-24
Fix Resolution: 2.0.1,3.0.1
Easily extract zip, tar and tar.gz archives
Library home page: https://registry.npmjs.org/decompress/-/decompress-0.2.5.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/decompress/package.json
Dependency Hierarchy:
decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.
Publish Date: 2020-03-08
URL: WS-2020-0044
Base Score Metrics:
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/qs/package.json
Dependency Hierarchy:
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tiny-lr-fork/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-08-06
URL: WS-2014-0005
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/hapi/html/index.html,/labs-air/ui/IoTCloudStarter/node_modules/vm-browserify/example/run/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/multiplex/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/echo/index.html,/labs-air/ui/IoTCloudStarter/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/selectableItems.html
Path to vulnerable library: /labs-air/ui/IoTCloudStarter/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485
handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-10-06
URL: WS-2019-0291
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1164
Release Date: 2019-10-06
Fix Resolution: 4.3.0
String manipulation extensions for Underscore.js javascript library.
Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-2.3.3.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/underscore.string/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
Underscore.string, before 3.3.5, is vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2018-12-30
URL: WS-2018-0232
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/745
Release Date: 2018-12-30
Fix Resolution: 3.3.5
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
Security vulnerability found in handlebars.js before 4.3.0.
Publish Date: 2020-01-08
URL: WS-2019-0368
Type: Upgrade version
Origin: handlebars-lang/handlebars.js@2078c72
Release Date: 2020-01-08
Fix Resolution: handlebars - 4.3.0
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-0.1.31.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/fstream/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Publish Date: 2019-07-02
URL: CVE-2019-13173
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173
Release Date: 2019-07-02
Fix Resolution: 1.0.12
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-2.3.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/component-resolver/node_modules/semver/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
Semver is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.
Publish Date: 2015-04-04
URL: WS-2015-0018
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/31
Release Date: 2015-04-04
Fix Resolution: Update to a version 4.3.2 or greater
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-0.3.6.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/proxy-agent/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().
Publish Date: 2018-04-25
URL: WS-2018-0072
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/593
Release Date: 2018-01-27
Fix Resolution: 2.2.0
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/acorn/package.json
Dependency Hierarchy:
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/detective/node_modules/acorn/package.json
Dependency Hierarchy:
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.2.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/acorn/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/acorn/package.json
Dependency Hierarchy:
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-08
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-08
Fix Resolution: 7.1.1
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: 9a56920c214f3897ed1b4c3cc8f0913cb4ca3485
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
Prototype Pollution vulnerability found in handlebars.js before 4.5.3. Attacker may use Remote-Code-Execution exploits.
Publish Date: 2020-01-08
URL: WS-2019-0369
Type: Upgrade version
Origin: https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019
Release Date: 2020-01-08
Fix Resolution: handlebars - 4.5.3
Port of jQuery.extend for Node.js
Library home page: https://registry.npmjs.org/extend/-/extend-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/extend/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16492
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/381185
Release Date: 2019-02-01
Fix Resolution: extend - v3.0.2,v2.0.2
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-12-20
URL: CVE-2019-19919
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1164
Release Date: 2019-12-20
Fix Resolution: 4.3.0
An HTTP(s) proxy `http.Agent` implementation for HTTP
Library home page: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-0.2.7.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/proxy-agent/node_modules/http-proxy-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer.
Publish Date: 2018-04-25
URL: WS-2018-0085
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/607
Release Date: 2018-01-27
Fix Resolution: 2.1.0
kill trees of processes
Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/tree-kill/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/tree-kill/package.json
Dependency Hierarchy:
Found in HEAD commit: 2b36f19c6531f1a3964d83923e752838cd9d62cb
A Command Injection vulnerability found in tree-kill before 1.2.2. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.
Publish Date: 2020-01-15
URL: WS-2020-0005
Type: Upgrade version
Origin: https://hackerone.com/reports/701183
Release Date: 2020-01-15
Fix Resolution: tree-kill - 1.2.2
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/superagent/node_modules/qs/package.json
Dependency Hierarchy:
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/ProjectAir/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/ui/ProjectAir/node_modules/tiny-lr-fork/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 91b4245b987bd63abaeb49223360180947327d49
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/28
Release Date: 2014-08-06
Fix Resolution: Update to version 1.0.0 or later
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/labs-air/ui/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/handlebars/package.json
Dependency Hierarchy:
Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.
Publish Date: 2019-12-05
URL: WS-2019-0333
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.7.0.tgz
Path to dependency file: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/package.json
Path to vulnerable library: /tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/serialize-javascript/package.json,/tmp/ws-scm/labs-air/uiupgrade/IoTCloudStarter/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution: v2.1.1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.