Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tunnel-agent

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2017-03-05

Fix Resolution (tunnel-agent): 0.6.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Libraries - jquery-1.7.1.min.js, jquery-2.2.4.tgz, jquery-1.10.1.min.js, jquery-2.1.4.min.js

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - node-sass-3.12.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.12.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Publish Date: 2021-01-11

URL: CVE-2020-24025

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r8f7-9pfq-mjmv

Release Date: 2021-01-11

Fix Resolution (node-sass): 7.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - deep-extend-0.4.1.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/deep-extend

Dependency Hierarchy:

• npm-watch-0.1.6.tgz (Root Library)
  • nodemon-1.11.0.tgz
    • chokidar-1.6.1.tgz
      • fsevents-1.0.15.tgz
        • node-pre-gyp-0.6.31.tgz
          • rc-1.1.6.tgz
            • ❌ deep-extend-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2018-05-24

Fix Resolution (deep-extend): 0.5.1

Direct dependency fix Resolution (npm-watch): 0.1.7

Vulnerability Details

There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.

Publish Date: 2017-07-23

URL: CVE-2017-11556

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2017-07-23

Fix Resolution: LibSass - 3.5.0

Vulnerable Library - node-sass-3.12.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.12.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.

Publish Date: 2017-08-18

URL: CVE-2017-12964

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-03

Fix Resolution (node-sass): 4.4.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Libraries - debug-2.2.0.tgz, debug-2.3.2.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-04-26

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (npm-watch): 0.1.7

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Libraries - libsass3.3.6, node-sass-3.12.1.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11696

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0

Vulnerable Library - clean-css-3.4.20.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.20.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/clean-css

Dependency Hierarchy:

• gulp-clean-css-2.0.13.tgz (Root Library)
  • ❌ clean-css-3.4.20.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-03-06

URL: WS-2019-0017

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxhq-pm8v-cw75

Release Date: 2018-03-06

Fix Resolution (clean-css): 4.1.11

Direct dependency fix Resolution (gulp-clean-css): 2.4.0

Vulnerable Libraries - libsass3.3.6, node-sass-3.12.1.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;node-sass - 4.14.0,4.8.0;Fable.Template.Elmish.React - 0.1.6

Vulnerable Library - elliptic-6.3.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic

Dependency Hierarchy:

• browserify-13.1.1.tgz (Root Library)
  • crypto-browserify-3.11.0.tgz
    • browserify-sign-4.0.0.tgz
      • ❌ elliptic-6.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution (elliptic): 6.5.4

Direct dependency fix Resolution (browserify): 13.2.0

Vulnerable Libraries - libsass3.3.6, node-sass-3.12.1.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: node-sass - 3.6.0

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/stringstream

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

Publish Date: 2020-12-03

URL: CVE-2018-21270

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270

Release Date: 2020-12-03

Fix Resolution (stringstream): 0.0.6

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - bootstrap-tagsinput-0.7.1.tgz

jQuery plugin providing a Twitter Bootstrap user interface for managing tags.

Library home page: https://registry.npmjs.org/bootstrap-tagsinput/-/bootstrap-tagsinput-0.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bootstrap-tagsinput

Dependency Hierarchy:

• ❌ bootstrap-tagsinput-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

bootstrap-tagsinput through 0.8.0 are vulnerable to cross-site scripting when user input is passed into the itemTitle parameter unmodified, as the package fails to properly sanitize or encode user input for that parameter.

Publish Date: 2020-07-21

URL: CVE-2016-1000227

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Vulnerable Library - tough-cookie-2.3.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • ❌ tough-cookie-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010

Release Date: 2017-10-03

Fix Resolution (tough-cookie): 2.3.3

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - sshpk-1.10.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.10.1.tgz

Path to dependency file: braindump/package.json

Path to vulnerable library: braindump/node_modules/sshpk

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • http-signature-1.1.1.tgz
        • ❌ sshpk-1.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution: 1.14.1

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cryptiles

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • hawk-3.1.3.tgz
        • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Libraries - minimatch-0.2.14.tgz, minimatch-2.0.10.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-04-26

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked

Dependency Hierarchy:

• jsdoc-3.4.3.tgz (Root Library)
  • ❌ marked-0.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-04-16

Fix Resolution (marked): 0.4.0

Direct dependency fix Resolution (jsdoc): 3.6.0

Vulnerable Library - undefsafe-0.0.3.tgz

Undefined safe way of extracting object properties

Library home page: https://registry.npmjs.org/undefsafe/-/undefsafe-0.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undefsafe

Dependency Hierarchy:

• npm-watch-0.1.6.tgz (Root Library)
  • nodemon-1.11.0.tgz
    • ❌ undefsafe-0.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

Publish Date: 2020-02-18

URL: CVE-2019-10795

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10795

Release Date: 2020-02-27

Fix Resolution (undefsafe): 2.0.3

Direct dependency fix Resolution (npm-watch): 0.1.7

Vulnerable Library - brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/brace-expansion

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-stream-3.1.18.tgz
      • minimatch-2.0.10.tgz
        • ❌ brace-expansion-1.1.6.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
Mend Note: Converted from WS-2017-0206, on 2022-11-08.

Publish Date: 2018-01-27

URL: CVE-2017-18077

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077

Release Date: 2022-10-03

Fix Resolution (brace-expansion): 1.1.7

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Libraries - ms-0.7.1.tgz, ms-0.7.2.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Libraries - jquery-2.2.4.tgz, jquery-1.10.1.min.js, jquery-2.1.4.min.js, jquery-1.11.1.min.js, jquery-1.7.1.min.js

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: 3.5.0

Vulnerable Libraries - bootstrap-3.3.4.js, bootstrap-3.3.7.tgz, bootstrap-3.3.5.min.js

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Vulnerable Library - sshpk-1.10.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sshpk

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • http-signature-1.1.1.tgz
        • ❌ sshpk-1.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

Publish Date: 2018-06-07

URL: CVE-2018-3737

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/319593

Release Date: 2018-04-26

Fix Resolution (sshpk): 1.13.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - is-my-json-valid-2.15.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-my-json-valid

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • har-validator-2.0.6.tgz
        • ❌ is-my-json-valid-2.15.0.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-09

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - Flask-0.11.1-py2.py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/63/2b/01f5ed23a78391f6e3e73075973da0ecb467c831376a0b09c0ec5afd7977/Flask-0.11.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• Flask_Login-0.4.0-py2.py3-none-any.whl (Root Library)
  • ❌ Flask-0.11.1-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.

Publish Date: 2019-07-17

URL: CVE-2019-1010083

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010083

Release Date: 2019-07-17

Fix Resolution: 1.0

Vulnerable Libraries - libsass3.3.6, libsass3.3.6, node-sass-3.12.1.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Vulnerable Libraries - libsass3.3.6, node-sass-3.12.1.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: node-sass - 4.14.0

Vulnerable Libraries - bootstrap-2.3.2.min.js, bootstrap-3.3.7.tgz, bootstrap-3.3.5.min.js, bootstrap-3.3.4.js

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Vulnerable Library - jsonpointer-4.0.0.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonpointer

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • har-validator-2.0.6.tgz
        • is-my-json-valid-2.15.0.tgz
          • ❌ jsonpointer-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.

Publish Date: 2020-07-03

URL: WS-2020-0345

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-03

Fix Resolution (jsonpointer): 4.1.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Libraries - bootstrap-3.3.4.js, bootstrap-3.3.5.min.js, bootstrap-3.3.7.tgz, bootstrap-2.3.2.min.js

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Vulnerable Library - elliptic-6.3.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic

Dependency Hierarchy:

• browserify-13.1.1.tgz (Root Library)
  • crypto-browserify-3.11.0.tgz
    • browserify-sign-4.0.0.tgz
      • ❌ elliptic-6.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (browserify): 13.2.0

Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked

Dependency Hierarchy:

• jsdoc-3.4.3.tgz (Root Library)
  • ❌ marked-0.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (marked): 1.1.1

Direct dependency fix Resolution (jsdoc): 3.6.7

Vulnerable Library - deap-1.0.0.tgz

extend and merge objects, deep or shallow

Library home page: https://registry.npmjs.org/deap/-/deap-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/deap

Dependency Hierarchy:

• gulp-uglify-1.5.4.tgz (Root Library)
  • ❌ deap-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

The utilities function in all versions < 1.0.1 of the deap node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Mend Note: Converted from WS-2018-0090, on 2022-11-08.

Publish Date: 2018-07-03

URL: CVE-2018-3749

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/611

Release Date: 2018-05-24

Fix Resolution (deap): 1.0.1

Direct dependency fix Resolution (gulp-uglify): 2.0.0

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-4.16.6.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - is-my-json-valid-2.15.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-my-json-valid

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • har-validator-2.0.6.tgz
        • ❌ is-my-json-valid-2.15.0.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.

Publish Date: 2020-06-27

URL: WS-2020-0342

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-27

Fix Resolution (is-my-json-valid): 2.20.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • sass-graph-2.1.2.tgz
      • yargs-4.8.1.tgz
        • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Library - cached-path-relative-1.0.0.tgz

Memoize the results of the path.relative function

Library home page: https://registry.npmjs.org/cached-path-relative/-/cached-path-relative-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cached-path-relative

Dependency Hierarchy:

• browserify-13.1.1.tgz (Root Library)
  • ❌ cached-path-relative-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.
Mend Note: Converted from WS-2018-0215, on 2022-11-08.

Publish Date: 2018-11-06

URL: CVE-2018-16472

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16472

Release Date: 2018-11-06

Fix Resolution (cached-path-relative): 1.0.2

Direct dependency fix Resolution (browserify): 13.2.0

Vulnerable Libraries - jquery-2.2.4.tgz, jquery-2.1.4.min.js, jquery-1.11.1.min.js, jquery-1.7.1.min.js, jquery-1.10.1.min.js

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0

Vulnerable Libraries - libsass3.3.6, libsass3.3.6, libsass3.3.6, node-sass-3.12.1.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: libsass - 3.6.0

Vulnerable Library - qs-6.3.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • node-sass-3.12.1.tgz
    • request-2.78.0.tgz
      • ❌ qs-6.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-13

Fix Resolution (qs): 6.3.2

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-4.16.6.tgz, lodash.template-3.6.2.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (gulp-sass): 3.0.0

Fix Resolution (lodash.template): 4.17.12

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Libraries - libsass3.3.6, node-sass-3.12.1.tgz

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-06-04

Fix Resolution: libsass - 3.5.3;node-sass - 4.9.0

Vulnerable Library - ini-1.3.4.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • liftoff-2.3.0.tgz
    • findup-sync-0.4.3.tgz
      • resolve-dir-0.1.1.tgz
        • global-modules-0.2.3.tgz
          • global-prefix-0.1.4.tgz
            • ❌ ini-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - node-sass-3.12.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.12.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-sass

Dependency Hierarchy:

• gulp-sass-2.3.2.tgz (Root Library)
  • ❌ node-sass-3.12.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-05-26

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 3.0.0

Vulnerable Libraries - jquery-2.2.4.tgz, jquery-2.1.4.min.js, jquery-1.11.1.min.js, jquery-1.10.1.min.js

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - bootstrap-tagsinput-0.7.1.tgz

jQuery plugin providing a Twitter Bootstrap user interface for managing tags.

Library home page: https://registry.npmjs.org/bootstrap-tagsinput/-/bootstrap-tagsinput-0.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bootstrap-tagsinput

Dependency Hierarchy:

• ❌ bootstrap-tagsinput-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

In rendr-handlebarsthere are double-escaped data attributes in client side view placeholder that cause a potential XSS attack

Publish Date: 2016-03-11

URL: WS-2016-0041

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2016-0041

Release Date: 2016-03-11

Fix Resolution: org.webjars.bower:bootstrap-tagsinput - 0.8.0;Shared.Plugins - 1.0.6;ClientApp.Web - 2.0.0.1

Vulnerable Library - angular-1.2.20.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.2.20/angular.min.js

Path to dependency file: /node_modules/bootstrap-tagsinput/examples/bootstrap-2.3.2.html

Path to vulnerable library: /node_modules/bootstrap-tagsinput/examples/bootstrap-2.3.2.html

Dependency Hierarchy:

• ❌ angular-1.2.20.min.js (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

Publish Date: 2020-01-02

URL: CVE-2019-14863

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-09

Fix Resolution: angular - v1.5.0-beta.1;org.webjars:angularjs:1.5.0-rc.0

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 815ae0afebcf867f02143f3ab9cf88b1d4dacdec

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0