gabriel-milan / brazilian-regional-accent Goto Github PK

Vulnerable Libraries - nth-check-2.0.0.tgz, nth-check-1.0.2.tgz

Found in HEAD commit: 62343db67cfd892f0d5e7fc53c0793dde406321d

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

Vulnerable Library - jquery-2.2.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.0/jquery.min.js

Path to dependency file: brazilian-regional-accent/frontend/node_modules/startaudiocontext/examples/jquery.html

Path to vulnerable library: /frontend/node_modules/startaudiocontext/examples/jquery.html

Dependency Hierarchy:

• ❌ jquery-2.2.0.min.js (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: brazilian-regional-accent/backend/brazilian_regional_accent/requirements.txt

Path to vulnerable library: brazilian-regional-accent/backend/brazilian_regional_accent/requirements.txt

Dependency Hierarchy:

• requests-2.21.0-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4bd2864564b18188854ea2e20031c607c2cb3ab1

Found in base branch: master

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: brazilian-regional-accent/frontend/package.json

Path to vulnerable library: brazilian-regional-accent/frontend/node_modules/ejs/package.json

Dependency Hierarchy:

• cli-service-4.5.13.tgz (Root Library)
  • webpack-bundle-analyzer-3.9.0.tgz
    • ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: mde/ejs#571

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: brazilian-regional-accent/frontend/package.json

Path to vulnerable library: brazilian-regional-accent/frontend/node_modules/copy-webpack-plugin/node_modules/glob-parent/package.json,brazilian-regional-accent/frontend/node_modules/webpack-dev-server/node_modules/glob-parent/package.json,brazilian-regional-accent/frontend/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,brazilian-regional-accent/frontend/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

• cli-service-4.5.13.tgz (Root Library)
  • copy-webpack-plugin-5.1.2.tgz
    • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - jquery-2.2.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.0/jquery.min.js

Path to dependency file: brazilian-regional-accent/frontend/node_modules/startaudiocontext/examples/jquery.html

Path to vulnerable library: /frontend/node_modules/startaudiocontext/examples/jquery.html

Dependency Hierarchy:

• ❌ jquery-2.2.0.min.js (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - jquery-2.2.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.0/jquery.min.js

Path to dependency file: brazilian-regional-accent/frontend/node_modules/startaudiocontext/examples/jquery.html

Path to vulnerable library: /frontend/node_modules/startaudiocontext/examples/jquery.html

Dependency Hierarchy:

• ❌ jquery-2.2.0.min.js (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - jquery-2.2.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.0/jquery.min.js

Path to dependency file: brazilian-regional-accent/frontend/node_modules/startaudiocontext/examples/jquery.html

Path to vulnerable library: /frontend/node_modules/startaudiocontext/examples/jquery.html

Dependency Hierarchy:

• ❌ jquery-2.2.0.min.js (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: brazilian-regional-accent/backend/brazilian_regional_accent/requirements.txt

Path to vulnerable library: brazilian-regional-accent/backend/brazilian_regional_accent/requirements.txt

Dependency Hierarchy:

• requests-2.21.0-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4bd2864564b18188854ea2e20031c607c2cb3ab1

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-05-22

Fix Resolution: urllib3 - 1.26.5

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Path to dependency file: brazilian-regional-accent/frontend/package.json

Path to vulnerable library: /frontend/node_modules/axios/package.json

Dependency Hierarchy:

• ❌ axios-0.21.1.tgz (Vulnerable Library)

Found in HEAD commit: f2b6b38c2ea1ec45bc0eaa27cccfad7af7fb3e43

Found in base branch: master

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/axios/axios/releases/tag/v0.21.2

Release Date: 2021-08-31

Fix Resolution: axios - 0.21.2

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: brazilian-regional-accent/frontend/package.json

Path to vulnerable library: brazilian-regional-accent/frontend/node_modules/css-what/package.json

Dependency Hierarchy:

• cli-service-4.5.13.tgz (Root Library)
  • optimize-cssnano-plugin-1.0.6.tgz
    • cssnano-preset-default-4.0.8.tgz
      • postcss-svgo-4.0.3.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-2.1.1.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

Found in HEAD commit: 62343db67cfd892f0d5e7fc53c0793dde406321d

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: brazilian-regional-accent/frontend/package.json

Path to vulnerable library: brazilian-regional-accent/frontend/node_modules/ansi-html/package.json

Dependency Hierarchy:

• cli-service-4.5.13.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 33a82635c9a8140708d6279f9a2cd51b09a222b6

Found in base branch: master

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High