Coder Social home page Coder Social logo

laravel's Introduction

Build Status Total Downloads Latest Stable Version License

About Laravel

Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as:

Laravel is accessible, powerful, and provides tools required for large, robust applications.

Learning Laravel

Laravel has the most extensive and thorough documentation and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework.

If you don't feel like reading, Laracasts can help. Laracasts contains over 1100 video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost you and your team's skills by digging into our comprehensive video library.

Laravel Sponsors

We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the Laravel Patreon page.

Contributing

Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the Laravel documentation.

Security Vulnerabilities

If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via [email protected]. All security vulnerabilities will be promptly addressed.

License

The Laravel framework is open-source software licensed under the MIT license.

laravel's People

Contributors

taylorotwell avatar daylerees avatar franzliedke avatar grahamcampbell avatar jasonlewis avatar sparksp avatar cviebrock avatar driesvints avatar tobsn avatar crynobone avatar jeffreyway avatar tillkruss avatar josephsilber avatar themsaid avatar laurencei avatar bencorlett avatar barryvdh avatar neoascetic avatar ericlbarnes avatar jesseobrien avatar codler avatar jakobud avatar mikelbring avatar kapv89 avatar kbanman avatar lancepioch avatar pedroborges avatar mathewhany avatar vespakoen avatar huguesjoyal avatar

laravel's Issues

CVE-2020-7693 (Medium) detected in sockjs-0.3.19.tgz

CVE-2020-7693 - Medium Severity Vulnerability

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/sockjs/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • webpack-dev-server-3.3.1.tgz
      • sockjs-0.3.19.tgz (Vulnerable Library)

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: sockjs/sockjs-node#265

Release Date: 2020-07-09

Fix Resolution: sockjs - 0.3.20

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10742 (High) detected in axios-0.18.0.tgz

CVE-2019-10742 - High Severity Vulnerability

Vulnerable Library - axios-0.18.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/axios/package.json

Dependency Hierarchy:

  • axios-0.18.0.tgz (Vulnerable Library)

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: axios/axios#1098

Release Date: 2019-05-31

Fix Resolution: 0.19.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-3.4.0.tgz

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.4.0.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.4.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.4.0.tgz (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7660 (High) detected in serialize-javascript-1.6.1.tgz

CVE-2020-7660 - High Severity Vulnerability

Vulnerable Library - serialize-javascript-1.6.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.6.1.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • terser-webpack-plugin-1.2.3.tgz
      • serialize-javascript-1.6.1.tgz (Vulnerable Library)

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-16769 (Medium) detected in serialize-javascript-1.6.1.tgz

CVE-2019-16769 - Medium Severity Vulnerability

Vulnerable Library - serialize-javascript-1.6.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.6.1.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • terser-webpack-plugin-1.2.3.tgz
      • serialize-javascript-1.6.1.tgz (Vulnerable Library)

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution: v2.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-11.1.1.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • yargs-12.0.5.tgz
      • yargs-parser-11.1.1.tgz (Vulnerable Library)

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz

CVE-2019-10746 - High Severity Vulnerability

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/mixin-deep/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • chokidar-2.1.5.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • mixin-deep-1.3.1.tgz (Vulnerable Library)

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28168 (Medium) detected in axios-0.18.0.tgz

CVE-2020-28168 - Medium Severity Vulnerability

Vulnerable Library - axios-0.18.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/axios/package.json

Dependency Hierarchy:

  • axios-0.18.0.tgz (Vulnerable Library)

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: axios/axios@c7329fe

Release Date: 2020-11-06

Fix Resolution: axios - 0.21.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-15256 (High) detected in object-path-0.9.2.tgz

CVE-2020-15256 - High Severity Vulnerability

Vulnerable Library - object-path-0.9.2.tgz

Access deep properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/object-path/package.json

Dependency Hierarchy:

  • resolve-url-loader-2.3.2.tgz (Root Library)
    • adjust-sourcemap-loader-1.2.0.tgz
      • object-path-0.9.2.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-07-21

Fix Resolution: 0.11.5

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.11.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Step up your Open Source Security Game with WhiteSource here

CVE-2019-20149 (High) detected in kind-of-6.0.2.tgz

CVE-2019-20149 - High Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/kind-of/package.json

Dependency Hierarchy:

  • sass-loader-7.1.0.tgz (Root Library)
    • clone-deep-2.0.2.tgz
      • kind-of-6.0.2.tgz (Vulnerable Library)

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

Step up your Open Source Security Game with WhiteSource here

WS-2020-0144 (High) detected in laravel/framework-v5.8.11

WS-2020-0144 - High Severity Vulnerability

Vulnerable Library - laravel/framework-v5.8.11

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/a2cf7a7983329d63edc6fde43142b232bb61aa0a

Dependency Hierarchy:

  • laravel/framework-v5.8.11 (Vulnerable Library)

Vulnerability Details

Application's using the "cookie" session driver were the primary applications affected by this vulnerability. Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie" session driver in their production deployments.

Publish Date: 2020-07-27

URL: WS-2020-0144

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix WhiteSource Configuration File - .whitesource

There is an error with this repository's WhiteSource configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.

Errors:

  • Failed to parse configuration file: MalakaiZ3n/laravel/.whitesource: Expected a com.google.gson.JsonObject but was com.google.gson.JsonPrimitive

CVE-2020-11023 (Medium) detected in jquery-3.4.0.tgz

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.4.0.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.4.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.4.0.tgz (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10747 (High) detected in set-value-0.4.3.tgz, set-value-2.0.0.tgz

CVE-2019-10747 - High Severity Vulnerability

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • chokidar-2.1.5.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • union-value-1.0.0.tgz
                • set-value-0.4.3.tgz (Vulnerable Library)
set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/set-value/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • chokidar-2.1.5.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • set-value-2.0.0.tgz (Vulnerable Library)

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Step up your Open Source Security Game with WhiteSource here

WS-2020-0042 (High) detected in acorn-6.1.1.tgz

WS-2020-0042 - High Severity Vulnerability

Vulnerable Library - acorn-6.1.1.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.1.1.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/acorn/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • webpack-4.30.0.tgz
      • acorn-6.1.1.tgz (Vulnerable Library)

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8116 (High) detected in dot-prop-4.2.0.tgz

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/dot-prop/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • optimize-css-assets-webpack-plugin-5.0.1.tgz
      • cssnano-4.1.10.tgz
        • cssnano-preset-default-4.0.7.tgz
          • postcss-merge-rules-4.0.3.tgz
            • postcss-selector-parser-3.1.1.tgz
              • dot-prop-4.2.0.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.11.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz, minimist-1.2.0.tgz

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • babel-loader-8.0.5.tgz
      • mkdirp-0.5.1.tgz
        • minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/minimist/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • core-7.4.3.tgz
      • json5-2.1.0.tgz
        • minimist-1.2.0.tgz (Vulnerable Library)

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23364 (Medium) detected in browserslist-4.5.4.tgz

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.5.4.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.5.4.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/browserslist/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • preset-env-7.4.3.tgz
      • browserslist-4.5.4.tgz (Vulnerable Library)

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

WS-2020-0139 (High) detected in laravel/framework-v5.8.11

WS-2020-0139 - High Severity Vulnerability

Vulnerable Library - laravel/framework-v5.8.11

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/a2cf7a7983329d63edc6fde43142b232bb61aa0a

Dependency Hierarchy:

  • laravel/framework-v5.8.11 (Vulnerable Library)

Vulnerability Details

RCE vulnerability in "cookie" session driver

Publish Date: 2020-07-27

URL: WS-2020-0139

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://packagist.org/packages/illuminate/cookie#v7.22.4

Release Date: 2020-07-27

Fix Resolution: 5.5.x-dev, 5.6.x-dev,5.7.x-dev, 5.8.x-dev,v6.18.31,v7.22.4

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Mend Configuration File - .whitesource

There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.

Errors:

  • Failed to parse configuration file: blakenick77/laravel/.whitesource: failed to parse JSON content

WS-2020-0091 (High) detected in http-proxy-1.17.0.tgz

WS-2020-0091 - High Severity Vulnerability

Vulnerable Library - http-proxy-1.17.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.17.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/http-proxy/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • webpack-dev-server-3.3.1.tgz
      • http-proxy-middleware-0.19.1.tgz
        • http-proxy-1.17.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

Step up your Open Source Security Game with WhiteSource here

WS-2021-0079 (Medium) detected in laravel/framework-v5.8.11

WS-2021-0079 - Medium Severity Vulnerability

Vulnerable Library - laravel/framework-v5.8.11

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/a2cf7a7983329d63edc6fde43142b232bb61aa0a

Dependency Hierarchy:

  • laravel/framework-v5.8.11 (Vulnerable Library)

Vulnerability Details

Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.
This problem has been patched on Laravel versions 6.20.26 and 8.40.0.

Publish Date: 2021-04-30

URL: WS-2021-0079

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4mg9-vhxq-vm7j

Release Date: 2021-04-30

Fix Resolution: laravel/framework - v6.20.26,v8.40.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8203 (High) detected in lodash-4.17.11.tgz

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Step up your Open Source Security Game with WhiteSource here

CVE-2020-15366 (Medium) detected in ajv-6.10.0.tgz

CVE-2020-15366 - Medium Severity Vulnerability

Vulnerable Library - ajv-6.10.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/ajv/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • webpack-4.30.0.tgz
      • ajv-6.10.0.tgz (Vulnerable Library)

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7720 (High) detected in node-forge-0.7.5.tgz

CVE-2020-7720 - High Severity Vulnerability

Vulnerable Library - node-forge-0.7.5.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.5.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/node-forge/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • webpack-dev-server-3.3.1.tgz
      • selfsigned-1.10.4.tgz
        • node-forge-0.7.5.tgz (Vulnerable Library)

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-13

Fix Resolution: node-forge - 0.10.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7789 (Medium) detected in node-notifier-5.4.0.tgz

CVE-2020-7789 - Medium Severity Vulnerability

Vulnerable Library - node-notifier-5.4.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.0.tgz

Path to dependency file: /laravel/package.json

Path to vulnerable library: laravel/node_modules/node-notifier/package.json

Dependency Hierarchy:

  • laravel-mix-4.0.15.tgz (Root Library)
    • webpack-notifier-1.7.0.tgz
      • node-notifier-5.4.0.tgz (Vulnerable Library)

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.