tz924 / cs116-lab10 Goto Github PK

Vulnerable Library - autoprefixer-9.6.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/browserslist/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2021-23382

Vulnerable Library - postcss-7.0.17.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.17.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/postcss/package.json

Dependency Hierarchy:

• autoprefixer-9.6.0.tgz (Root Library)
  • ❌ postcss-7.0.17.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (autoprefixer): 9.6.1

Step up your Open Source Security Game with Mend here

CVE-2023-44270

Vulnerable Library - postcss-7.0.17.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.17.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/postcss/package.json

Dependency Hierarchy:

• autoprefixer-9.6.0.tgz (Root Library)
  • ❌ postcss-7.0.17.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

Step up your Open Source Security Game with Mend here

CVE-2021-23368

Vulnerable Library - postcss-7.0.17.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.17.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/postcss/package.json

Dependency Hierarchy:

• autoprefixer-9.6.0.tgz (Root Library)
  • ❌ postcss-7.0.17.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2024-08-01

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (autoprefixer): 9.6.1

Step up your Open Source Security Game with Mend here

CVE-2021-23364

Vulnerable Library - browserslist-4.6.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.6.3.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/browserslist/package.json

Dependency Hierarchy:

• autoprefixer-9.6.0.tgz (Root Library)
  • ❌ browserslist-4.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (autoprefixer): 9.6.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - postcss-cli-6.1.3.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-safe-parser/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-reporter/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/stylelint/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-cli/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/autoprefixer/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/sugarss/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-less/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-sass/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-scss/node_modules/postcss/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2021-23382

Vulnerable Library - postcss-7.0.18.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.18.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-safe-parser/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-reporter/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/stylelint/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-cli/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/autoprefixer/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/sugarss/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-less/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-sass/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-scss/node_modules/postcss/package.json

Dependency Hierarchy:

• postcss-cli-6.1.3.tgz (Root Library)
  • ❌ postcss-7.0.18.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (postcss-cli): 7.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-44270

Vulnerable Library - postcss-7.0.18.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.18.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-safe-parser/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-reporter/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/stylelint/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-cli/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/autoprefixer/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/sugarss/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-less/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-sass/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-scss/node_modules/postcss/package.json

Dependency Hierarchy:

• postcss-cli-6.1.3.tgz (Root Library)
  • ❌ postcss-7.0.18.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

Step up your Open Source Security Game with Mend here

CVE-2021-23368

Vulnerable Library - postcss-7.0.18.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.18.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-safe-parser/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-reporter/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/stylelint/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-cli/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/autoprefixer/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/sugarss/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-less/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-sass/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-scss/node_modules/postcss/package.json

Dependency Hierarchy:

• postcss-cli-6.1.3.tgz (Root Library)
  • ❌ postcss-7.0.18.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2024-08-01

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (postcss-cli): 7.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - underscore-1.8.3.js

JavaScript's functional programming helper library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/underscore.js

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2021-23358

Vulnerable Library - underscore-1.8.3.js

JavaScript's functional programming helper library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/underscore.js

Dependency Hierarchy:

• ❌ underscore-1.8.3.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2024-08-01

Fix Resolution: underscore - 1.12.1,1.13.0-2

Step up your Open Source Security Game with Mend here

Vulnerable Library - WordPress5.4

WordPress, Git-ified. Synced via SVN every 15 minutes, including branches and tags! This repository is just a mirror of the WordPress subversion repository. Please do not send pull requests. Submit patches to https://core.trac.wordpress.org/ instead.

Library home page: https://github.com/WordPress/WordPress.git

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Vulnerable Source Files (1)

/ctf-spring2022/www/wp-includes/js/wp-embed.min.js

WS-2023-0152

Vulnerable Libraries - WordPress5.4, WordPress5.4

Vulnerability Details

WordPress prior to 6.2.1 does not validate the protocol when processing oEmbed discovery, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks.

Publish Date: 2023-05-16

URL: WS-2023-0152

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5

Release Date: 2023-05-16

Fix Resolution: 4.1.38,4.2.35,4.3.31,4.4.30,4.5.29,4.6.26,4.7.26,4.8.22,4.9.23,5.0.19,5.1.16,5.2.18,5.3.15,5.4.13,5.5.12,5.6.11,5.7.9,5.8.7,5.9.6,6.0.4,6.1.2,6.2.1

Step up your Open Source Security Game with Mend here

CVE-2020-28040

Vulnerable Libraries - WordPress5.4, WordPress5.4, WordPress5.4, WordPress5.4

Vulnerability Details

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

Publish Date: 2020-11-02

URL: CVE-2020-28040

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Release Date: 2020-11-02

Fix Resolution: 5.5.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - plupload.full-2.1.1.min.js

Plupload is a JavaScript API for dealing with file uploads it supports features like multiple file selection, file type filtering, request chunking, client side image scaling and it uses different runtimes to achieve this such as HTML 5, Silverlight and Flash.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/plupload/2.1.1/plupload.full.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/plupload/plupload.full.min.js

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2021-23562

Vulnerable Library - plupload.full-2.1.1.min.js

Plupload is a JavaScript API for dealing with file uploads it supports features like multiple file selection, file type filtering, request chunking, client side image scaling and it uses different runtimes to achieve this such as HTML 5, Silverlight and Flash.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/plupload/2.1.1/plupload.full.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/plupload/plupload.full.min.js

Dependency Hierarchy:

• ❌ plupload.full-2.1.1.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.

Publish Date: 2021-12-03

URL: CVE-2021-23562

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23562

Release Date: 2021-12-03

Fix Resolution: plupload - v2.3.9

Step up your Open Source Security Game with Mend here

Vulnerable Library - lodash-4.17.15.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.js

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.js

Dependency Hierarchy:

• ❌ lodash-4.17.15.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: lodash - 4.17.19

Step up your Open Source Security Game with Mend here

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.js

Dependency Hierarchy:

• ❌ lodash-4.17.15.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21

Step up your Open Source Security Game with Mend here

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.js

Dependency Hierarchy:

• ❌ lodash-4.17.15.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Step up your Open Source Security Game with Mend here

Vulnerable Library - postcss-cli-6.1.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

MSC-2023-16609

Vulnerable Library - fsevents-1.2.9.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.9.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • ❌ fsevents-1.2.9.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.

Publish Date: 2023-09-20

URL: MSC-2023-16609

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

CVE-2023-45311

Vulnerable Library - fsevents-1.2.9.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.9.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • ❌ fsevents-1.2.9.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Publish Date: 2023-10-06

URL: CVE-2023-45311

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-45311

Release Date: 2023-10-06

Fix Resolution (fsevents): 1.2.11

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2020-7788

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • rc-1.2.8.tgz
          • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-37713

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • ❌ tar-4.4.8.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Publish Date: 2021-08-31

URL: CVE-2021-37713

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5955-9wpr-37jh

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-37712

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • ❌ tar-4.4.8.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-37701

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • ❌ tar-4.4.8.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

Publish Date: 2021-08-31

URL: CVE-2021-37701

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9r2w-394v-53qc

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.16

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-32804

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • ❌ tar-4.4.8.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Publish Date: 2021-08-03

URL: CVE-2021-32804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3jfq-g458-7qm9

Release Date: 2021-08-03

Fix Resolution (tar): 4.4.14

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-32803

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • ❌ tar-4.4.8.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Publish Date: 2021-08-03

URL: CVE-2021-32803

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-r628-mhmh-qjhw

Release Date: 2021-08-03

Fix Resolution (tar): 4.4.15

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2024-4068

Vulnerable Library - braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/braces/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/braces/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • ❌ braces-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/decode-uri-component/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • braces-2.3.2.tgz
      • snapdragon-0.8.2.tgz
        • source-map-resolve-0.5.2.tgz
          • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • npm-packlist-1.4.1.tgz
          • ignore-walk-3.0.1.tgz
            • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2022-25883

Vulnerable Library - semver-5.7.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json,/ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/semver/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • ❌ semver-5.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2024-08-08

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (postcss-cli): 7.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/glob-parent/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/glob-parent/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (postcss-cli): 7.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-28863

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • ❌ tar-4.4.8.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

Step up your Open Source Security Game with Mend here

CVE-2024-4067

Vulnerable Library - micromatch-3.1.10.tgz

Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/micromatch/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/micromatch/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • globby-9.2.0.tgz
    • fast-glob-2.2.7.tgz
      • ❌ micromatch-3.1.10.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a Medium security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Step up your Open Source Security Game with Mend here

CVE-2017-16137

Vulnerable Library - debug-4.1.1.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/debug/package.json,/ctf-spring2022/www/wp-content/themes/twentynineteen/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Dependency Hierarchy:

• postcss-cli-6.1.2.tgz (Root Library)
  • chokidar-2.1.1.tgz
    • fsevents-1.2.9.tgz
      • node-pre-gyp-0.12.0.tgz
        • needle-2.3.0.tgz
          • ❌ debug-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 4.3.1

Direct dependency fix Resolution (postcss-cli): 6.1.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - plupload.flash.swf

plupload.flash.swf:swf

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/plupload/plupload.flash.swf

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2015-3439

Vulnerable Library - plupload.flash.swf

plupload.flash.swf:swf

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/plupload/plupload.flash.swf

Dependency Hierarchy:

• ❌ plupload.flash.swf (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

Publish Date: 2015-08-05

URL: CVE-2015-3439

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-3439

Release Date: 2015-08-05

Fix Resolution: Moxiecode Plupload - 2.1.3;WordPress - 4.1.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - moment-2.22.2.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.22.2/moment.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/moment.min.js

CVE-2022-31129

Vulnerable Library - moment-2.22.2.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.22.2/moment.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/moment.min.js

Dependency Hierarchy:

• ❌ moment-2.22.2.min.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2024-08-01

Fix Resolution: moment - 2.29.4

Step up your Open Source Security Game with Mend here

CVE-2022-24785

Vulnerable Library - moment-2.22.2.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.22.2/moment.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/moment.min.js

Dependency Hierarchy:

• ❌ moment-2.22.2.min.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2024-08-01

Fix Resolution: moment - 2.29.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - bootstrap-4.1.3.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/sodium_compat/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2019-8331

Vulnerable Library - bootstrap-4.1.3.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/sodium_compat/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-4.1.3.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - chokidar-cli-2.0.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/lodash/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/lodash/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2020-7774

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/y18n/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/y18n/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • yargs-13.3.0.tgz
    • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (chokidar-cli): 2.1.0

Step up your Open Source Security Game with Mend here

CVE-2024-4068

Vulnerable Library - braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/chokidar-cli/node_modules/braces/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • chokidar-3.0.2.tgz
    • ❌ braces-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-3807

Vulnerable Library - ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/chokidar-cli/node_modules/ansi-regex/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • yargs-13.3.0.tgz
    • cliui-5.0.0.tgz
      • strip-ansi-5.2.0.tgz
        • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (chokidar-cli): 2.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-28469

Vulnerable Library - glob-parent-5.1.0.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/chokidar-cli/node_modules/glob-parent/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • chokidar-3.0.2.tgz
    • ❌ glob-parent-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (chokidar-cli): 2.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/lodash/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/lodash/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (chokidar-cli): 2.1.0

Step up your Open Source Security Game with Mend here

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/lodash/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/lodash/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (chokidar-cli): 2.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-7608

Vulnerable Library - yargs-parser-13.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/chokidar-cli/node_modules/yargs-parser/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • yargs-13.3.0.tgz
    • ❌ yargs-parser-13.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (chokidar-cli): 2.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/lodash/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/lodash/package.json

Dependency Hierarchy:

• chokidar-cli-2.0.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (chokidar-cli): 2.1.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - lodash-4.17.15.min.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.min.js

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.min.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.min.js

Dependency Hierarchy:

• ❌ lodash-4.17.15.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: lodash - 4.17.19

Step up your Open Source Security Game with Mend here

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.min.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.min.js

Dependency Hierarchy:

• ❌ lodash-4.17.15.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21

Step up your Open Source Security Game with Mend here

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.min.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/dist/vendor/lodash.min.js

Dependency Hierarchy:

• ❌ lodash-4.17.15.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Step up your Open Source Security Game with Mend here

Vulnerable Library - scripts-5.0.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/elliptic/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

WS-2021-0153

Vulnerable Library - ejs-2.7.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/ejs/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • webpack-bundle-analyzer-3.5.0.tgz
    • ❌ ejs-2.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution (ejs): 3.1.6

Direct dependency fix Resolution (@wordpress/scripts): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (@wordpress/scripts): 18.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/loader-utils/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • thread-loader-2.1.3.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-37598

Vulnerable Library - uglify-js-3.6.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.6.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/handlebars/node_modules/uglify-js/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • handlebars-4.4.2.tgz
              • ❌ uglify-js-3.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.7.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/ejs/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • webpack-bundle-analyzer-3.5.0.tgz
    • ❌ ejs-2.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution (ejs): 3.1.7

Direct dependency fix Resolution (@wordpress/scripts): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-1.1.3.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.1.3.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/gonzales-pe/node_modules/minimist/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • stylelint-9.10.1.tgz
    • postcss-sass-0.3.5.tgz
      • gonzales-pe-4.2.4.tgz
        • ❌ minimist-1.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-26707

Vulnerable Library - merge-deep-3.0.2.tgz

Recursively merge values in a javascript object.

Library home page: https://registry.npmjs.org/merge-deep/-/merge-deep-3.0.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/merge-deep/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-puppeteer-4.3.0.tgz
    • jest-environment-puppeteer-4.3.0.tgz
      • ❌ merge-deep-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Publish Date: 2021-06-02

URL: CVE-2021-26707

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1922259

Release Date: 2021-06-02

Fix Resolution (merge-deep): 3.0.3

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-23383

Vulnerable Library - handlebars-4.4.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/handlebars/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • ❌ handlebars-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-23369

Vulnerable Library - handlebars-4.4.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/handlebars/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • ❌ handlebars-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-42461

Vulnerable Library - elliptic-6.5.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/elliptic/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • webpack-4.8.3.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.3.tgz
          • ❌ elliptic-6.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

Publish Date: 2024-08-02

URL: CVE-2024-42461

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2024-08-02

Fix Resolution: elliptic - 6.5.7

Step up your Open Source Security Game with Mend here

CVE-2024-33883

Vulnerable Library - ejs-2.7.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/ejs/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • webpack-bundle-analyzer-3.5.0.tgz
    • ❌ ejs-2.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Publish Date: 2024-04-28

URL: CVE-2024-33883

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883

Release Date: 2024-04-28

Fix Resolution: ejs - 3.1.10

Step up your Open Source Security Game with Mend here

CVE-2023-45133

Vulnerable Library - traverse-7.6.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.6.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/@babel/traverse/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • eslint-plugin-3.1.0.tgz
    • babel-eslint-10.0.3.tgz
      • ❌ traverse-7.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-46175

Vulnerable Libraries - json5-2.1.0.tgz, json5-1.0.1.tgz

json5-2.1.0.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/json5/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • babel-preset-default-4.6.0.tgz
    • core-7.6.0.tgz
      • ❌ json5-2.1.0.tgz (Vulnerable Library)

json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/loader-utils/node_modules/json5/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • thread-loader-2.1.3.tgz
    • loader-utils-1.2.3.tgz
      • ❌ json5-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2020-7660

Vulnerable Library - serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • webpack-4.8.3.tgz
    • uglifyjs-webpack-plugin-1.3.0.tgz
      • ❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (@wordpress/scripts): 5.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-36604

Vulnerable Library - hoek-8.2.4.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/@hapi/hoek/-/hoek-8.2.4.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/@hapi/hoek/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-puppeteer-4.3.0.tgz
    • jest-environment-puppeteer-4.3.0.tgz
      • jest-dev-server-4.3.0.tgz
        • wait-on-3.3.0.tgz
          • joi-15.1.1.tgz
            • ❌ hoek-8.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.

Publish Date: 2022-09-23

URL: CVE-2020-36604

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-23

Fix Resolution (@hapi/hoek): 8.5.1

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2019-20920

Vulnerable Library - handlebars-4.4.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/handlebars/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • ❌ handlebars-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/async/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • source-map-loader-0.2.4.tgz
    • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2020-13822

Vulnerable Library - elliptic-6.5.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/elliptic/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • webpack-4.8.3.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.3.tgz
          • ❌ elliptic-6.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

WS-2020-0450

Vulnerable Library - handlebars-4.4.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/handlebars/package.json

Dependency Hierarchy:

• scripts-5.0.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • ❌ handlebars-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).

Publish Date: 2020-01-09

URL: WS-2020-0450

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-09

Fix Resolution (handlebars): 4.6.0

Direct dependency fix Resolution (@wordpress/scripts): 5.0.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - concurrently-4.1.2.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-cli/node_modules/yargs-parser/package.json,/ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/yargs-parser/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/concurrently/node_modules/yargs-parser/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2019-15599

Vulnerable Library - tree-kill-1.2.1.tgz

kill trees of processes

Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/tree-kill/package.json

Dependency Hierarchy:

• concurrently-4.1.2.tgz (Root Library)
  • ❌ tree-kill-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
Mend Note: Converted from WS-2020-0005, on 2022-11-08.

Publish Date: 2019-12-18

URL: CVE-2019-15599

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/701183

Release Date: 2019-12-18

Fix Resolution (tree-kill): 1.2.2

Direct dependency fix Resolution (concurrently): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3807

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/string-length/node_modules/ansi-regex/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/string-width/node_modules/ansi-regex/package.json,/ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/ansi-regex/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/concurrently/node_modules/ansi-regex/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-cli/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• concurrently-4.1.2.tgz (Root Library)
  • yargs-12.0.5.tgz
    • string-width-2.1.1.tgz
      • strip-ansi-4.0.0.tgz
        • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (concurrently): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23362

Vulnerable Library - hosted-git-info-2.8.4.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.4.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• concurrently-4.1.2.tgz (Root Library)
  • read-pkg-4.0.1.tgz
    • normalize-package-data-2.5.0.tgz
      • ❌ hosted-git-info-2.8.4.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (concurrently): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-7608

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss-cli/node_modules/yargs-parser/package.json,/ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/yargs-parser/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/concurrently/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• concurrently-4.1.2.tgz (Root Library)
  • yargs-12.0.5.tgz
    • ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (concurrently): 5.0.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - flashmediaelement.swf

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/mediaelement/flashmediaelement.swf

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2016-9263

Vulnerable Library - flashmediaelement.swf

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/mediaelement/flashmediaelement.swf

Dependency Hierarchy:

• ❌ flashmediaelement.swf (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

Publish Date: 2017-10-12

URL: CVE-2016-9263

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9263

Release Date: 2017-10-12

Fix Resolution: 4.9

Step up your Open Source Security Game with Mend here

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/sodium_compat/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2020-11023

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/sodium_compat/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/sodium_compat/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/sodium_compat/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - rtlcss-2.4.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/rtlcss/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2021-23382

Vulnerable Library - postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/rtlcss/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss/package.json

Dependency Hierarchy:

• rtlcss-2.4.0.tgz (Root Library)
  • ❌ postcss-6.0.23.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (rtlcss): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-44270

Vulnerable Library - postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentynineteen/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentynineteen/node_modules/rtlcss/node_modules/postcss/package.json,/ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/postcss/package.json

Dependency Hierarchy:

• rtlcss-2.4.0.tgz (Root Library)
  • ❌ postcss-6.0.23.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

Step up your Open Source Security Game with Mend here

Vulnerable Library - autoprefixer-9.6.1.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/browserslist/package.json

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

CVE-2021-23364

Vulnerable Library - browserslist-4.7.0.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.7.0.tgz

Path to dependency file: /ctf-spring2022/www/wp-content/themes/twentytwenty/package.json

Path to vulnerable library: /ctf-spring2022/www/wp-content/themes/twentytwenty/node_modules/browserslist/package.json

Dependency Hierarchy:

• autoprefixer-9.6.1.tgz (Root Library)
  • ❌ browserslist-4.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (autoprefixer): 9.6.2

Step up your Open Source Security Game with Mend here

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

WS-2020-0008

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

A cross-site scripting (XSS) vulnerability was discovered in the core parser, "paste" and "visualchars" plugins.

Publish Date: 2019-12-11

URL: WS-2020-0008

CVSS 3 Score Details (7.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-12-11

Fix Resolution: 4.9.7,5.1.4

Step up your Open Source Security Game with Mend here

WS-2021-0001

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.
This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Publish Date: 2021-01-05

URL: WS-2021-0001

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h96f-fc7c-9r55

Release Date: 2021-01-05

Fix Resolution: tinymce - 5.6.0

Step up your Open Source Security Game with Mend here

WS-2021-0133

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

Cross-site scripting vulnerability was found in TinyMCE before 5.7.1. A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor.

Publish Date: 2021-05-28

URL: WS-2021-0133

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5vm8-hhgr-jcjp

Release Date: 2021-05-28

Fix Resolution: tinymce - 5.7.1

Step up your Open Source Security Game with Mend here

WS-2020-0142

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower.

Publish Date: 2020-08-11

URL: WS-2020-0142

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-vrv8-v4w8-f95h

Release Date: 2020-08-11

Fix Resolution: tinymce - 5.4.1, 4.9.11

Step up your Open Source Security Game with Mend here

CVE-2024-38357

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-06-19

URL: CVE-2024-38357

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-38357

Release Date: 2024-06-19

Fix Resolution: TinyMCE - 5.11.0,6.8.4,7.2.0

Step up your Open Source Security Game with Mend here

CVE-2024-38356

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-06-19

URL: CVE-2024-38356

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-38357

Release Date: 2024-06-19

Fix Resolution: TinyMCE - 5.11.0,6.8.4,7.2.0

Step up your Open Source Security Game with Mend here

CVE-2024-21911

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.

Publish Date: 2024-01-03

URL: CVE-2024-21911

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7jx-j77m-wp65

Release Date: 2024-01-03

Fix Resolution: tinymce - 5.6.0

Step up your Open Source Security Game with Mend here

CVE-2024-21910

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.

Publish Date: 2024-01-03

URL: CVE-2024-21910

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r8hm-w5f7-wj39

Release Date: 2024-01-03

Fix Resolution: TinyMCE - 5.10.0, tinymce/tinymce - 5.10.0, TinyMCE - 5.10.0

Step up your Open Source Security Game with Mend here

CVE-2024-21908

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.

Publish Date: 2024-01-03

URL: CVE-2024-21908

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5h9g-x5rv-25wg

Release Date: 2024-01-03

Fix Resolution: tinymce - 5.9.0

Step up your Open Source Security Game with Mend here

CVE-2023-48219

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-11-15

URL: CVE-2023-48219

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-v626-r774-j7f8

Release Date: 2023-11-15

Fix Resolution: TinyMCE - 5.10.9,6.7.3

Step up your Open Source Security Game with Mend here

CVE-2023-45819

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered. When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-10-19

URL: CVE-2023-45819

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hgqx-r2hp-jr38

Release Date: 2023-10-19

Fix Resolution: tinymce - 5.10.8,6.7.1;TinyMCE - 5.10.8,6.7.1

Step up your Open Source Security Game with Mend here

CVE-2023-45818

Vulnerable Library - tinymce-4.9.6.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.6/tinymce.min.js

Path to vulnerable library: /ctf-spring2022/www/wp-includes/js/tinymce/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.6.min.js (Vulnerable Library)

Found in HEAD commit: 7f949f4f48089e4e1ea7eb0b2482120d3327d7c4

Found in base branch: master

Vulnerability Details

TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-10-19

URL: CVE-2023-45818