jeffresc / is.gd-node.js Goto Github PK

Vulnerable Libraries - minimatch-0.2.14.tgz, minimatch-2.0.10.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Libraries - marked-0.3.19.js, marked-0.3.19.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/0.4.0

Release Date: 2018-04-16

Fix Resolution: marked - 0.4.0

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

Publish Date: 2018-05-31

URL: CVE-2016-10531

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/101

Release Date: 2016-04-18

Fix Resolution: Update to version 0.3.6 or later.

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.

Publish Date: 2017-12-23

URL: WS-2019-0025

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@cb72584

Release Date: 2019-03-17

Fix Resolution: 0.3.9

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.

Publish Date: 2019-07-04

URL: WS-2019-0209

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1076

Release Date: 2019-09-05

Fix Resolution: 0.7.0

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.

Publish Date: 2018-02-26

URL: WS-2019-0027

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@b15e42b

Release Date: 2019-03-17

Fix Resolution: 0.3.18

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Libraries - marked-0.3.19.js, marked-0.3.19.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Vulnerable Library - marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

• ❌ marked-0.3.19.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

Versions 0.3.7 and earlier of marked unescape only lowercase while owsers support both lowercase and uppercase x in hexadecimal form of HTML character entity

Publish Date: 2017-12-23

URL: WS-2019-0026

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@6d1901f

Release Date: 2019-03-17

Fix Resolution: 0.3.9

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to dependency file: Is.gd-Node.js/node_modules/marked/www/demo.html

Path to vulnerable library: Is.gd-Node.js/node_modules/marked/www/demo.html

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Libraries - marked-0.3.19.js, marked-0.3.19.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Publish Date: 2019-04-03

URL: WS-2019-0169

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/812

Release Date: 2019-07-15

Fix Resolution: 0.6.2

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz

Found in HEAD commit: 1036303aa40701aa25caa367da28c1e4e15926e3

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12