lighthouse-tests's People
lighthouse-tests's Issues
CVE-2022-33987 (Medium) detected in got-6.7.1.tgz
CVE-2022-33987 - Medium Severity Vulnerability
Vulnerable Library - got-6.7.1.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- update-notifier-2.5.0.tgz
- latest-version-3.1.0.tgz
- package-json-4.0.1.tgz
- ❌ got-6.7.1.tgz (Vulnerable Library)
- package-json-4.0.1.tgz
- latest-version-3.1.0.tgz
- update-notifier-2.5.0.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-7788 (Critical) detected in ini-1.3.5.tgz
CVE-2020-7788 - Critical Severity Vulnerability
Vulnerable Library - ini-1.3.5.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ini/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- update-notifier-2.5.0.tgz
- is-installed-globally-0.1.0.tgz
- global-dirs-0.1.1.tgz
- ❌ ini-1.3.5.tgz (Vulnerable Library)
- global-dirs-0.1.1.tgz
- is-installed-globally-0.1.0.tgz
- update-notifier-2.5.0.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (lighthouse-batch): 5.0.2
Step up your Open Source Security Game with Mend here
CVE-2020-7608 (Medium) detected in yargs-parser-7.0.0.tgz
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Library - yargs-parser-7.0.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs-parser/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- ❌ yargs-parser-7.0.0.tgz (Vulnerable Library)
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-23064 (Medium) detected in jquery-3.1.0.js
CVE-2020-23064 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.1.0.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.0.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.
Publish Date: 2023-06-26
URL: CVE-2020-23064
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2023-06-26
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with Mend here
WS-2022-0007 (Medium) detected in node-forge-0.8.5.tgz - autoclosed
WS-2022-0007 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.8.5.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- rdf-canonize-1.0.3.tgz
- ❌ node-forge-0.8.5.tgz (Vulnerable Library)
- rdf-canonize-1.0.3.tgz
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Vulnerability Details
In node-forge before 1.0.0 he regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.
Publish Date: 2022-01-08
URL: WS-2022-0007
Step up your Open Source Security Game with WhiteSource here
CVE-2021-44906 (Critical) detected in minimist-0.0.8.tgz, minimist-1.2.0.tgz
CVE-2021-44906 - Critical Severity Vulnerability
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- lighthouse-5.6.0.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/rc/node_modules/minimist/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- update-notifier-2.5.0.tgz
- latest-version-3.1.0.tgz
- package-json-4.0.1.tgz
- registry-auth-token-3.4.0.tgz
- rc-1.2.8.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- rc-1.2.8.tgz
- registry-auth-token-3.4.0.tgz
- package-json-4.0.1.tgz
- latest-version-3.1.0.tgz
- update-notifier-2.5.0.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- shelljs-0.7.8.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.6.tgz
- shelljs-0.7.8.tgz
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2022-0122 (Medium) detected in node-forge-0.8.5.tgz
CVE-2022-0122 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.8.5.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- rdf-canonize-1.0.3.tgz
- ❌ node-forge-0.8.5.tgz (Vulnerable Library)
- rdf-canonize-1.0.3.tgz
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (lighthouse-batch): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-28155 (Medium) detected in request-2.88.0.tgz
CVE-2023-28155 - Medium Severity Vulnerability
Vulnerable Library - request-2.88.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- ❌ request-2.88.0.tgz (Vulnerable Library)
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-32796 (Medium) detected in xmldom-0.1.19.tgz
CVE-2021-32796 - Medium Severity Vulnerability
Vulnerable Library - xmldom-0.1.19.tgz
A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).
Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmldom/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- ❌ xmldom-0.1.19.tgz (Vulnerable Library)
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Found in base branch: master
Vulnerability Details
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Publish Date: 2021-07-27
URL: CVE-2021-32796
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5fg8-2547-mr8q
Release Date: 2021-07-27
Fix Resolution: @xmldom/xmldom - 0.7.0
Step up your Open Source Security Game with Mend here
CVE-2020-8175 (Medium) detected in jpeg-js-0.1.2.tgz
CVE-2020-8175 - Medium Severity Vulnerability
Vulnerable Library - jpeg-js-0.1.2.tgz
A pure javascript JPEG encoder and decoder
Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jpeg-js/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- ❌ jpeg-js-0.1.2.tgz (Vulnerable Library)
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
Uncontrolled resource consumption in jpeg-js
before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.
Publish Date: 2020-07-24
URL: CVE-2020-8175
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175
Release Date: 2020-07-27
Fix Resolution (jpeg-js): 0.4.0
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24773 (Medium) detected in node-forge-0.8.5.tgz
CVE-2022-24773 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.8.5.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- rdf-canonize-1.0.3.tgz
- ❌ node-forge-0.8.5.tgz (Vulnerable Library)
- rdf-canonize-1.0.3.tgz
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (lighthouse-batch): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-14040 (Medium) detected in bootstrap-3.3.7.js
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.js (Vulnerable Library)
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-11022 (Medium) detected in jquery-2.1.1.min.js, jquery-3.1.0.js
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-2.1.1.min.js, jquery-3.1.0.js
jquery-2.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js
Path to dependency file: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Path to vulnerable library: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Dependency Hierarchy:
- ❌ jquery-2.1.1.min.js (Vulnerable Library)
jquery-3.1.0.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.0.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2018-20677 (Medium) detected in bootstrap-3.3.7.js
CVE-2018-20677 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.js (Vulnerable Library)
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- shelljs-0.7.8.tgz
- rechoir-0.6.2.tgz
- resolve-1.12.0.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
- resolve-1.12.0.tgz
- rechoir-0.6.2.tgz
- shelljs-0.7.8.tgz
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (lighthouse-batch): 5.0.2
Step up your Open Source Security Game with Mend here
WS-2016-0090 (Medium) detected in jquery-2.1.1.min.js - autoclosed
WS-2016-0090 - Medium Severity Vulnerability
Vulnerable Library - jquery-2.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/lighthouse-tests/node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Path to vulnerable library: /lighthouse-tests/node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Dependency Hierarchy:
- ❌ jquery-2.1.1.min.js (Vulnerable Library)
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Vulnerability Details
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Suggested Fix
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14042 (Medium) detected in bootstrap-3.3.7.js
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.js (Vulnerable Library)
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
CVE-2022-0144 (High) detected in shelljs-0.7.8.tgz
CVE-2022-0144 - High Severity Vulnerability
Vulnerable Library - shelljs-0.7.8.tgz
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.7.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shelljs/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- ❌ shelljs-0.7.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
shelljs is vulnerable to Improper Privilege Management
Publish Date: 2022-01-11
URL: CVE-2022-0144
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-11
Fix Resolution (shelljs): 0.8.5
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-20676 (Medium) detected in bootstrap-3.3.7.js
CVE-2018-20676 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-23358 (High) detected in underscore-1.9.1.tgz
CVE-2021-23358 - High Severity Vulnerability
Vulnerable Library - underscore-1.9.1.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/underscore/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonlint-mod-1.7.5.tgz
- ❌ underscore-1.9.1.tgz (Vulnerable Library)
- jsonlint-mod-1.7.5.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution (underscore): 1.12.1
Direct dependency fix Resolution (lighthouse-batch): 5.0.2
Step up your Open Source Security Game with Mend here
CVE-2020-7645 (Critical) detected in chrome-launcher-0.11.2.tgz
CVE-2020-7645 - Critical Severity Vulnerability
Vulnerable Library - chrome-launcher-0.11.2.tgz
Launch latest Chrome with the Devtools Protocol port open
Library home page: https://registry.npmjs.org/chrome-launcher/-/chrome-launcher-0.11.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/chrome-launcher/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- ❌ chrome-launcher-0.11.2.tgz (Vulnerable Library)
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.
Publish Date: 2020-05-02
URL: CVE-2020-7645
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7645
Release Date: 2020-05-02
Fix Resolution (chrome-launcher): 0.13.2
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-39353 (Critical) detected in xmldom-0.1.19.tgz
CVE-2022-39353 - Critical Severity Vulnerability
Vulnerable Library - xmldom-0.1.19.tgz
A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).
Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmldom/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- ❌ xmldom-0.1.19.tgz (Vulnerable Library)
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser
and XMLSerializer
module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes
collection of the Document
, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElement
or reject a document with a document that has more then 1 childNode
.
Publish Date: 2022-11-02
URL: CVE-2022-39353
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-crh6-fp67-6883
Release Date: 2022-11-02
Fix Resolution: @xmldom/xmldom - 0.7.7,0.8.4
Step up your Open Source Security Game with Mend here
CVE-2022-24771 (High) detected in node-forge-0.8.5.tgz
CVE-2022-24771 - High Severity Vulnerability
Vulnerable Library - node-forge-0.8.5.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- rdf-canonize-1.0.3.tgz
- ❌ node-forge-0.8.5.tgz (Vulnerable Library)
- rdf-canonize-1.0.3.tgz
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (lighthouse-batch): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24772 (High) detected in node-forge-0.8.5.tgz
CVE-2022-24772 - High Severity Vulnerability
Vulnerable Library - node-forge-0.8.5.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- rdf-canonize-1.0.3.tgz
- ❌ node-forge-0.8.5.tgz (Vulnerable Library)
- rdf-canonize-1.0.3.tgz
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (lighthouse-batch): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-21366 (Medium) detected in xmldom-0.1.19.tgz
CVE-2021-21366 - Medium Severity Vulnerability
Vulnerable Library - xmldom-0.1.19.tgz
A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).
Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmldom/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- ❌ xmldom-0.1.19.tgz (Vulnerable Library)
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Publish Date: 2021-03-12
URL: CVE-2021-21366
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-h6q6-9hqw-rwfv
Release Date: 2021-03-12
Fix Resolution (xmldom): 0.5.0
Direct dependency fix Resolution (lighthouse-batch): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2019-11358 (Medium) detected in jquery-2.1.1.min.js, jquery-3.1.0.js
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-2.1.1.min.js, jquery-3.1.0.js
jquery-2.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js
Path to dependency file: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Path to vulnerable library: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Dependency Hierarchy:
- ❌ jquery-2.1.1.min.js (Vulnerable Library)
jquery-3.1.0.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.0.js (Vulnerable Library)
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Found in base branch: master
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2016-10735 (Medium) detected in bootstrap-3.3.7.js
CVE-2016-10735 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Mend Note: Converted from WS-2018-0021, on 2022-11-08.
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
Step up your Open Source Security Game with Mend here
CVE-2015-9251 (Medium) detected in jquery-2.1.1.min.js
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-2.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js
Path to dependency file: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Path to vulnerable library: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Dependency Hierarchy:
- ❌ jquery-2.1.1.min.js (Vulnerable Library)
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7720 (High) detected in node-forge-0.8.5.tgz
CVE-2020-7720 - High Severity Vulnerability
Vulnerable Library - node-forge-0.8.5.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- rdf-canonize-1.0.3.tgz
- ❌ node-forge-0.8.5.tgz (Vulnerable Library)
- rdf-canonize-1.0.3.tgz
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (lighthouse-batch): 5.0.2
Step up your Open Source Security Game with Mend here
WS-2022-0008 (Medium) detected in node-forge-0.8.5.tgz
WS-2022-0008 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.8.5.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- jsonld-1.8.1.tgz
- rdf-canonize-1.0.3.tgz
- ❌ node-forge-0.8.5.tgz (Vulnerable Library)
- rdf-canonize-1.0.3.tgz
- jsonld-1.8.1.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (lighthouse-batch): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-8116 (High) detected in dot-prop-4.2.0.tgz
CVE-2020-8116 - High Severity Vulnerability
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dot-prop/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- configstore-3.1.2.tgz
- ❌ dot-prop-4.2.0.tgz (Vulnerable Library)
- configstore-3.1.2.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (lighthouse-batch): 5.0.2
Step up your Open Source Security Game with Mend here
CVE-2019-8331 (Medium) detected in bootstrap-3.3.7.js
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ bootstrap-3.3.7.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
CVE-2022-25851 (High) detected in jpeg-js-0.1.2.tgz
CVE-2022-25851 - High Severity Vulnerability
Vulnerable Library - jpeg-js-0.1.2.tgz
A pure javascript JPEG encoder and decoder
Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jpeg-js/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- ❌ jpeg-js-0.1.2.tgz (Vulnerable Library)
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.
Publish Date: 2022-06-10
URL: CVE-2022-25851
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-06-10
Fix Resolution (jpeg-js): 0.4.4
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-11023 (Medium) detected in jquery-2.1.1.min.js, jquery-3.1.0.js
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-2.1.1.min.js, jquery-3.1.0.js
jquery-2.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js
Path to dependency file: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Path to vulnerable library: /node_modules/lighthouse/lighthouse-cli/test/fixtures/dobetterweb/dbw_tester.html
Dependency Hierarchy:
- ❌ jquery-2.1.1.min.js (Vulnerable Library)
jquery-3.1.0.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.js
Path to dependency file: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.0.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
WS-2018-0021 (Medium) detected in bootstrap-3.3.7-3.3.13.js - autoclosed
WS-2018-0021 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.js
Path to dependency file: /tmp/ws-scm/lighthouse-tests/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: /lighthouse-tests/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
- ❌ bootstrap-3.3.7-3.3.13.js (Vulnerable Library)
Found in HEAD commit: ed856c5830b7d4bc8a23a67ced8723e96e6fdf45
Vulnerability Details
XSS in data-target in bootstrap (3.3.7 and before)
Publish Date: 2017-06-27
URL: WS-2018-0021
Suggested Fix
Type: Change files
Origin: twbs/bootstrap@d9be1da
Release Date: 2017-08-25
Fix Resolution: Replace or update the following files: alert.js, carousel.js, collapse.js, dropdown.js, modal.js
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz, minimist-1.2.0.tgz
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- lighthouse-5.6.0.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/rc/node_modules/minimist/package.json
Dependency Hierarchy:
- lighthouse-batch-5.0.1.tgz (Root Library)
- lighthouse-5.6.0.tgz
- update-notifier-2.5.0.tgz
- latest-version-3.1.0.tgz
- package-json-4.0.1.tgz
- registry-auth-token-3.4.0.tgz
- rc-1.2.8.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- rc-1.2.8.tgz
- registry-auth-token-3.4.0.tgz
- package-json-4.0.1.tgz
- latest-version-3.1.0.tgz
- update-notifier-2.5.0.tgz
- lighthouse-5.6.0.tgz
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (lighthouse-batch): 6.0.0
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.