osweekends / agenda Goto Github PK

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/lodash/package.json

Dependency Hierarchy:

• test-utils-1.0.0-beta.29.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 9422a373579f33d6596599252232dd75006ea929

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

Found in HEAD commit: bb81493e83bc2fee5b8c0f341173f048ff8df6dd

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/agenda/node_modules/sockjs/examples/multiplex/index.html

Path to vulnerable library: /agenda/node_modules/sockjs/examples/multiplex/index.html,/agenda/node_modules/vm-browserify/example/run/index.html,/agenda/node_modules/sockjs/examples/echo/index.html,/agenda/node_modules/sockjs/examples/hapi/html/index.html,/agenda/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 47e65511c6989f4018b7f66aecff388f4ac6b002

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/lodash/package.json

Dependency Hierarchy:

• test-utils-1.0.0-beta.29.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: bb81493e83bc2fee5b8c0f341173f048ff8df6dd

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - yargs-parser-9.0.2.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• cli-plugin-unit-jest-3.12.1.tgz (Root Library)
  • jest-23.6.0.tgz
    • jest-cli-23.6.0.tgz
      • yargs-11.1.1.tgz
        • ❌ yargs-parser-9.0.2.tgz (Vulnerable Library)

Found in HEAD commit: bb81493e83bc2fee5b8c0f341173f048ff8df6dd

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/elliptic/package.json

Dependency Hierarchy:

• cli-plugin-babel-3.12.1.tgz (Root Library)
  • webpack-4.43.0.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.0.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: bb81493e83bc2fee5b8c0f341173f048ff8df6dd

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: 58eab17c9d706cc22b2b4ed406cc5732428b394c

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/agenda/node_modules/sockjs/examples/multiplex/index.html

Path to vulnerable library: /agenda/node_modules/sockjs/examples/multiplex/index.html,/agenda/node_modules/vm-browserify/example/run/index.html,/agenda/node_modules/sockjs/examples/echo/index.html,/agenda/node_modules/sockjs/examples/hapi/html/index.html,/agenda/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 47e65511c6989f4018b7f66aecff388f4ac6b002

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/elliptic/package.json

Dependency Hierarchy:

• cli-plugin-babel-3.12.1.tgz (Root Library)
  • webpack-4.43.0.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.0.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: bb81493e83bc2fee5b8c0f341173f048ff8df6dd

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/copy-webpack-plugin/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• cli-service-3.12.1.tgz (Root Library)
  • copy-webpack-plugin-4.6.0.tgz
    • ❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 9408bf2726a748bec6913eb953e97d8569f118e3

Vulnerability Details

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution: v2.1.1

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/osw-schedule/node_modules/jest-runtime/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• babel-jest-23.6.0.tgz (Root Library)
  • babel-plugin-istanbul-4.1.6.tgz
    • test-exclude-4.2.3.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: 252eaf2918ad0846a3281db12f5be88edacdc0e4

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/copy-webpack-plugin/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• cli-service-3.12.1.tgz (Root Library)
  • copy-webpack-plugin-4.6.0.tgz
    • ❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: bb81493e83bc2fee5b8c0f341173f048ff8df6dd

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/agenda/node_modules/sockjs/examples/multiplex/index.html

Path to vulnerable library: /agenda/node_modules/sockjs/examples/multiplex/index.html,/agenda/node_modules/vm-browserify/example/run/index.html,/agenda/node_modules/sockjs/examples/echo/index.html,/agenda/node_modules/sockjs/examples/hapi/html/index.html,/agenda/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 47e65511c6989f4018b7f66aecff388f4ac6b002

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/agenda/node_modules/sockjs/examples/hapi/html/index.html

Path to vulnerable library: /agenda/node_modules/sockjs/examples/hapi/html/index.html,/agenda/node_modules/sockjs/examples/echo/index.html,/agenda/node_modules/sockjs/examples/multiplex/index.html,/agenda/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 58eab17c9d706cc22b2b4ed406cc5732428b394c

Vulnerability Details

The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

Publish Date: 2019-10-23

URL: CVE-2015-9521

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-10-23

Fix Resolution: 2.2.0

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/node-forge/package.json

Dependency Hierarchy:

• cli-service-3.12.1.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • selfsigned-1.10.7.tgz
      • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 9422a373579f33d6596599252232dd75006ea929

Vulnerability Details

All versions of package node-forge are vulnerable to Prototype Pollution via the util.setPath function.

Publish Date: 2020-07-21

URL: CVE-2020-7720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - property-expr-1.5.1.tgz

tiny util for getting and setting deep object props safely

Library home page: https://registry.npmjs.org/property-expr/-/property-expr-1.5.1.tgz

Path to dependency file: /tmp/ws-scm/agenda/package.json

Path to vulnerable library: /tmp/ws-scm/agenda/node_modules/property-expr/package.json

Dependency Hierarchy:

• lint-staged-8.2.1.tgz (Root Library)
  • yup-0.27.0.tgz
    • ❌ property-expr-1.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 9422a373579f33d6596599252232dd75006ea929

Vulnerability Details

The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.

Publish Date: 2020-08-18

URL: CVE-2020-7707

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7707

Release Date: 2020-07-21

Fix Resolution: property-expr - 2.0.3

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: agenda/package.json

Path to vulnerable library: agenda/node_modules/jest/node_modules/braces/package.json

Dependency Hierarchy:

• babel-jest-23.6.0.tgz (Root Library)
  • babel-plugin-istanbul-4.1.6.tgz
    • test-exclude-4.2.3.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: 57b4226d6db4bc20525b3e0704aee61cc8861e18

Vulnerability Details

Braces before 1.4.2 and 2.17.2 is vulnerable to ReDoS. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

Publish Date: 2020-07-21

URL: CVE-2018-1109

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1547272

Release Date: 2020-07-21

Fix Resolution: 2.3.1

Vulnerable Libraries - ajv-6.12.2.tgz, ajv-5.5.2.tgz

Found in HEAD commit: 9422a373579f33d6596599252232dd75006ea929

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3