This project forked from openflagr/flagr
Flagr is a feature flagging, A/B testing and dynamic configuration microservice
Home Page: https://checkr.github.io/flagr
License: Apache License 2.0
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - ejs-2.7.4.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - async-2.6.3.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/async/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - github.com/dgrijalva/jwt-GO-v3.2.0+incompatibleARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
Library home page: https://proxy.golang.org/github.com/dgrijalva/jwt-go/@v/v3.2.0+incompatible.zip
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-w73w-5m7g-f7qc
Release Date: 2020-09-30
Fix Resolution: 4.0.0-preview1
Vulnerable Libraries - follow-redirects-1.5.10.tgz, follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/node_modules/follow-redirects/package.json
Dependency Hierarchy:
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (axios): 0.20.0-0
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - lodash-4.17.14.tgz, lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/vue-eslint-parser/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - thenify-3.3.0.tgzPromisify a callback-based function
Library home page: https://registry.npmjs.org/thenify/-/thenify-3.3.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/thenify/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
Publish Date: 2022-07-25
URL: CVE-2020-7677
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-29xr-v42j-r956
Release Date: 2020-07-21
Fix Resolution (thenify): 3.3.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - minimist-1.2.5.tgz, minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/json5/node_modules/minimist/package.json,/browser/flagr-ui/node_modules/json5/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (eslint): 7.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Vulnerable Library - http-proxy-1.18.0.tgzHTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/http-proxy/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - elliptic-6.5.2.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - node-forge-0.9.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - follow-redirects-1.5.10.tgz, follow-redirects-1.10.0.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/node_modules/follow-redirects/package.json
Dependency Hierarchy:
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.10.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (axios): 0.20.0-0
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - minimist-0.0.8.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (eslint): 7.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shell-quote-1.6.1.tgzquote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - ejs-2.7.4.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - normalize-url-3.3.0.tgz, normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mini-css-extract-plugin/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Vulnerable Library - terser-4.6.3.tgzJavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.6.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/terser/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - axios-0.19.0.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution: 0.21.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - eventsource-1.0.7.tgzW3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/eventsource/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - loader-utils-1.2.3.tgzutils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5)
Base Score Metrics:
Vulnerable Libraries - glob-parent-5.1.0.tgz, glob-parent-3.1.0.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/eslint/node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (eslint): 7.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - serialize-javascript-2.1.2.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - node-forge-0.9.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - axios-0.19.0.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution: 0.20.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - node-forge-0.9.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - lodash-4.17.14.tgz, lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/vue-eslint-parser/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - node-forge-0.9.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - lodash-4.17.14.tgz, lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/vue-eslint-parser/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
Vulnerable Library - websocket-extensions-0.1.3.tgzGeneric extension manager for WebSocket connections
Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/websocket-extensions/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Publish Date: 2020-06-02
URL: CVE-2020-7662
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-g78m-2chm-r7qv
Release Date: 2020-06-02
Fix Resolution (websocket-extensions): 0.1.4
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Vulnerable Library - sockjs-0.3.19.tgzSockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /browser/flagr-ui/node_modules/sockjs/examples/express/index.html,/browser/flagr-ui/node_modules/sockjs/examples/express-3.x/index.html,/browser/flagr-ui/node_modules/sockjs/examples/multiplex/index.html,/browser/flagr-ui/node_modules/sockjs/examples/echo/index.html,/browser/flagr-ui/node_modules/sockjs/examples/hapi/html/index.html
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Vulnerable Library - highlight.js-9.15.8.tgzSyntax highlighting with language autodetection.
Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.15.8.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/highlight.js/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.
Publish Date: 2020-12-04
URL: WS-2020-0208
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-04
Fix Resolution (highlight.js): 10.4.1
Direct dependency fix Resolution (mavon-editor): 2.10.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - node-forge-0.9.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - node-forge-0.9.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - ajv-6.12.0.tgz, ajv-6.10.0.tgz, ajv-6.11.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/@vue/cli-service/node_modules/ajv/package.json
Dependency Hierarchy:
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/ajv/package.json
Dependency Hierarchy:
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.11.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/cache-loader/node_modules/ajv/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 7.0.0
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 7.0.0
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - y18n-4.0.0.tgzthe bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - elliptic-6.5.2.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - elliptic-6.5.2.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - mavon-editor-2.7.4.tgzVue markdown editor
Library home page: https://registry.npmjs.org/mavon-editor/-/mavon-editor-2.7.4.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/mavon-editor/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
Mavon-editor is vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. All version are affected.
Publish Date: 2019-10-06
URL: WS-2019-0283
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0283
Release Date: 2019-10-06
Fix Resolution: 2.7.7
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - yargs-parser-11.1.1.tgzthe mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - glob-parent-5.1.0.tgz, glob-parent-3.1.0.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/eslint/node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (eslint): 8.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /browser/flagr-ui/package.json
Path to vulnerable library: /browser/flagr-ui/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 95c92c0b82ebc8c6c86090b55e337f8d16f2933b
Found in base branch: master
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@vue/cli-service): 4.3.0
⛑️ Automatic Remediation will be attempted for this issue.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
