View Code? Open in Web Editor
NEW
A starter template for web applications using Rollup as a module bundler
Home Page: https://atanas.info/portfolio/open-source/rollup-mpa
License: MIT License
JavaScript 52.20%
PHP 44.97%
SCSS 2.53%
TypeScript 0.29%
rollup-mpa's Issues
CVE-2018-20821 - Medium Severity Vulnerability
Vulnerable Libraries -
Vulnerability Details
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821
Release Date: 2019-04-23
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-20834 - High Severity Vulnerability
Vulnerable Library - tar-2.2.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz
Path to dependency file: /tmp/ws-scm/rollup-template/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-template/node_modules/tar/package.json
Dependency Hierarchy:
node-sass-4.12.0.tgz (Root Library)
node-gyp-3.8.0.tgz
❌ tar-2.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Vulnerability Details
A vulnerability was found in node-tar before version 4.4.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.
Publish Date: 2019-04-30
URL: CVE-2018-20834
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/344595
Release Date: 2019-04-30
Fix Resolution: v4.4.2
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7753 - High Severity Vulnerability
Vulnerable Library - trim-0.0.1.tgz
Trim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/trim/package.json
Dependency Hierarchy:
stylelint-13.7.2.tgz (Root Library)
postcss-markdown-0.36.1.tgz
remark-12.0.1.tgz
remark-parse-8.0.3.tgz
❌ trim-0.0.1.tgz (Vulnerable Library)
Found in HEAD commit: a67636263cb28228babaa25b84188a5f838c4d2f
Vulnerability Details
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19839 - Medium Severity Vulnerability
Vulnerable Library - CSS::Sassv3.6.0
Library home page: https://metacpan.org/pod/CSS::Sass
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (63)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/color_maps.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_util.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/utf8/unchecked.h
/rollup-template/node_modules/node-sass/src/libsass/src/output.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/b64/cencode.h
/rollup-template/node_modules/node-sass/src/libsass/src/source_map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/lexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/utf8.h
/rollup-template/node_modules/node-sass/src/libsass/test/test_node.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/utf8_string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/plugins.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/node.hpp
/rollup-template/node_modules/node-sass/src/libsass/include/sass/base.h
/rollup-template/node_modules/node-sass/src/libsass/src/json.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/environment.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/position.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/subset_map.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.cpp
/rollup-template/node_modules/node-sass/src/libsass/contrib/plugin.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/utf8/core.h
/rollup-template/node_modules/node-sass/src/libsass/include/sass/functions.h
/rollup-template/node_modules/node-sass/src/libsass/test/test_superselector.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/utf8_string.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/node.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cencode.c
/rollup-template/node_modules/node-sass/src/libsass/src/subset_map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/base64vlq.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/listize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/c99func.c
/rollup-template/node_modules/node-sass/src/libsass/src/position.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
/rollup-template/node_modules/node-sass/src/libsass/include/sass/values.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass2scss.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/memory/SharedPtr.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/paths.hpp
/rollup-template/node_modules/node-sass/src/libsass/include/sass/context.h
/rollup-template/node_modules/node-sass/src/libsass/src/color_maps.hpp
/rollup-template/node_modules/node-sass/src/libsass/test/test_unification.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_util.cpp
/rollup-template/node_modules/node-sass/src/libsass/script/test-leaks.pl
/rollup-template/node_modules/node-sass/src/libsass/src/source_map.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/lexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/memory/SharedPtr.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/json.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/units.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/units.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/b64/encode.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/environment.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/utf8/checked.h
/rollup-template/node_modules/node-sass/src/libsass/src/plugins.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/listize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/debug.hpp
/rollup-template/node_modules/node-sass/src/libsass/include/sass2scss.h
Vulnerability Details
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839
Fix Resolution: 3.5.5
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7774 - High Severity Vulnerability
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/create-pwa/node_modules/y18n/package.json
Dependency Hierarchy:
create-pwa-2.3.0.tgz (Root Library)
yargs-15.3.1.tgz
❌ y18n-4.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 1871b45288c82b8f518a243ce89d78fd5976eb2e
Found in base branch: master
Vulnerability Details
This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto '); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
Release Date: 2020-11-17
Fix Resolution: 5.0.5
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9521 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-2.1.4.min.js , jquery-1.9.1.js
jquery-2.1.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/rollup-mpa/node_modules/js-base64/test/index.html
Path to vulnerable library: /rollup-mpa/node_modules/js-base64/test/index.html
Dependency Hierarchy:
❌ jquery-2.1.4.min.js (Vulnerable Library)
jquery-1.9.1.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js
Path to dependency file: /tmp/ws-scm/rollup-mpa/node_modules/tinycolor2/test/index.html
Path to vulnerable library: /rollup-mpa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/rollup-mpa/node_modules/tinycolor2/demo/jquery-1.9.1.js
Dependency Hierarchy:
❌ jquery-1.9.1.js (Vulnerable Library)
Found in HEAD commit: 6ab3b792b3b5517ab2b176d84003983384423a43
Vulnerability Details
The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Publish Date: 2019-10-23
URL: CVE-2015-9521
CVSS 2 Score Details (4.3 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-10-23
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/lodash/package.json
Dependency Hierarchy:
core-7.9.6.tgz (Root Library)
❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: c13b4dd244607a654a67a6ba362459ab787697ee
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/axios/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.3.1.tgz (Root Library)
browser-sync-2.26.13.tgz
localtunnel-2.0.0.tgz
❌ axios-0.19.0.tgz (Vulnerable Library)
Found in HEAD commit: acdb064de9c3bcd2c9cd1152a14968f6e29bfb3c
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2018-20190 - Medium Severity Vulnerability
Vulnerable Libraries -
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190
Release Date: 2018-12-17
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-2.1.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/rollup-template/node_modules/js-base64/test/index.html
Path to vulnerable library: /rollup-template/node_modules/js-base64/test/index.html
Dependency Hierarchy:
❌ jquery-2.1.4.min.js (Vulnerable Library)
Found in HEAD commit: aa4abebcbe02c9f170145fdef2b6e0306b885a73
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-11697 - High Severity Vulnerability
Vulnerable Libraries -
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697
Release Date: 2019-09-01
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-11693 - High Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11693
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11693
Release Date: 2018-06-04
Fix Resolution: LibSass - 3.5.5
Step up your Open Source Security Game with WhiteSource here
CVE-2018-11698 - High Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11698
Release Date: 2019-08-06
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
WS-2016-0090 - Medium Severity Vulnerability
Vulnerable Library - jquery-2.1.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/rollup-template/node_modules/js-base64/test/index.html
Path to vulnerable library: /rollup-template/node_modules/js-base64/test/index.html
Dependency Hierarchy:
❌ jquery-2.1.4.min.js (Vulnerable Library)
Found in HEAD commit: aa4abebcbe02c9f170145fdef2b6e0306b885a73
Vulnerability Details
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
CVSS 2 Score Details (4.3 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-1109 - High Severity Vulnerability
Vulnerable Library - braces-1.8.5.tgz
Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/rollup-watch/node_modules/braces/package.json
Dependency Hierarchy:
rollup-watch-4.3.1.tgz (Root Library)
chokidar-1.7.0.tgz
anymatch-1.3.2.tgz
micromatch-2.3.11.tgz
❌ braces-1.8.5.tgz (Vulnerable Library)
Found in HEAD commit: 647a1cbcd994a4f2ce0c00711287a68ad6286f39
Found in base branch: master
Vulnerability Details
Braces before 1.4.2 and 2.17.2 is vulnerable to ReDoS. It used a regular expression (^{(,+(?:({,+})), |,(?:({,+}) ),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.
Publish Date: 2020-07-21
URL: CVE-2018-1109
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1547272
Release Date: 2020-07-21
Fix Resolution: 2.3.1
Step up your Open Source Security Game with WhiteSource here
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Library - jquery-2.1.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/rollup-template/node_modules/js-base64/test/index.html
Path to vulnerable library: /rollup-template/node_modules/js-base64/test/index.html
Dependency Hierarchy:
❌ jquery-2.1.4.min.js (Vulnerable Library)
Found in HEAD commit: aa4abebcbe02c9f170145fdef2b6e0306b885a73
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Change files
Origin: jquery/jquery@753d591
Release Date: 2019-03-25
Fix Resolution: Replace or update the following files: core.js, core.js
Step up your Open Source Security Game with WhiteSource here
WS-2020-0091 - High Severity Vulnerability
Vulnerable Library - http-proxy-1.15.2.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.15.2.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/http-proxy/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.1.0.tgz (Root Library)
browser-sync-2.26.7.tgz
❌ http-proxy-1.15.2.tgz (Vulnerable Library)
Found in HEAD commit: 19796958a49a120d8687ba9f38658c933824a0e1
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-26
Fix Resolution: http-proxy - 1.18.1
Step up your Open Source Security Game with WhiteSource here
WS-2020-0068 - Medium Severity Vulnerability
Vulnerable Libraries - yargs-parser-10.1.0.tgz , yargs-parser-4.2.1.tgz , yargs-parser-5.0.0.tgz
yargs-parser-10.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/asset-resolver/node_modules/yargs-parser/package.json
Dependency Hierarchy:
critical-1.3.9.tgz (Root Library)
meow-5.0.0.tgz
❌ yargs-parser-10.1.0.tgz (Vulnerable Library)
yargs-parser-4.2.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-4.2.1.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/localtunnel/node_modules/yargs-parser/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.1.0.tgz (Root Library)
browser-sync-2.26.7.tgz
yargs-6.4.0.tgz
❌ yargs-parser-4.2.1.tgz (Vulnerable Library)
yargs-parser-5.0.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/sass-graph/node_modules/yargs-parser/package.json
Dependency Hierarchy:
node-sass-4.14.0.tgz (Root Library)
sass-graph-2.2.6.tgz
yargs-7.1.0.tgz
❌ yargs-parser-5.0.0.tgz (Vulnerable Library)
Found in HEAD commit: b83c58ee189a965195691b0cc360338bc8144564
Vulnerability Details
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto .bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
CVSS 3 Score Details (5.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: N/A
Attack Complexity: N/A
Privileges Required: N/A
User Interaction: N/A
Scope: N/A
Impact Metrics:
Confidentiality Impact: N/A
Integrity Impact: N/A
Availability Impact: N/A
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2018-11499 - High Severity Vulnerability
Vulnerable Libraries -
Vulnerability Details
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish Date: 2018-05-26
URL: CVE-2018-11499
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
Release Date: 2018-05-26
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-3.4.0.min.js , jquery-2.1.4.min.js , jquery-1.9.1.js
jquery-3.4.0.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.0/jquery.min.js
Path to dependency file: /tmp/ws-scm/rollup-mpa/node_modules/js-base64/test/index.html
Path to vulnerable library: /rollup-mpa/node_modules/js-base64/test/index.html
Dependency Hierarchy:
❌ jquery-3.4.0.min.js (Vulnerable Library)
jquery-2.1.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/rollup-mpa/node_modules/js-base64/.attic/test-moment/index.html
Path to vulnerable library: /rollup-mpa/node_modules/js-base64/.attic/test-moment/index.html
Dependency Hierarchy:
❌ jquery-2.1.4.min.js (Vulnerable Library)
jquery-1.9.1.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js
Path to dependency file: /tmp/ws-scm/rollup-mpa/node_modules/tinycolor2/test/index.html
Path to vulnerable library: /rollup-mpa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/rollup-mpa/node_modules/tinycolor2/demo/jquery-1.9.1.js
Dependency Hierarchy:
❌ jquery-1.9.1.js (Vulnerable Library)
Found in HEAD commit: 9ea0d2f6acfa8eb52eba4758ecb60d54d02ebc1a
Vulnerability Details
In jQuery before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (5.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: N/A
Attack Complexity: N/A
Privileges Required: N/A
User Interaction: N/A
Scope: N/A
Impact Metrics:
Confidentiality Impact: N/A
Integrity Impact: N/A
Availability Impact: N/A
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-18797 - Medium Severity Vulnerability
Vulnerable Library - node-sassv4.11.0
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in HEAD commit: dc29af367d12cb85fac9d13c58bc723a34db804e
Library Source Files (66)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-mpa/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/operators.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-mpa/node_modules/node-sass/src/sass_types/value.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-mpa/node_modules/node-sass/src/callback_bridge.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-mpa/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/list.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-mpa/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-mpa/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/inspect.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-mpa/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/parser.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/number.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/color.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/null.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-mpa/node_modules/node-sass/src/sass_types/color.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-mpa/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/list.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/map.cpp
/rollup-mpa/node_modules/node-sass/src/binding.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-mpa/node_modules/node-sass/src/sass_types/string.cpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-mpa/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-mpa/node_modules/node-sass/src/sass_types/boolean.h
/rollup-mpa/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.
Publish Date: 2019-11-06
URL: CVE-2019-18797
CVSS 2 Score Details (4.3 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18797
Release Date: 2019-11-06
Fix Resolution: 3.6.3
Step up your Open Source Security Game with WhiteSource here
CVE-2020-36049 - Medium Severity Vulnerability
Vulnerable Libraries - socket.io-parser-3.2.0.tgz , socket.io-parser-3.3.1.tgz
socket.io-parser-3.2.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/socket.io/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.3.1.tgz (Root Library)
browser-sync-2.26.13.tgz
socket.io-2.1.1.tgz
❌ socket.io-parser-3.2.0.tgz (Vulnerable Library)
socket.io-parser-3.3.1.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.1.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.3.1.tgz (Root Library)
browser-sync-2.26.13.tgz
browser-sync-ui-2.26.13.tgz
socket.io-client-2.4.0.tgz
❌ socket.io-parser-3.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 898e8418a8a450b000b11efa00ec87aa949dbdc0
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (5.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36049
Release Date: 2021-01-08
Fix Resolution: socket.io-parser - 3.4.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - qs-6.2.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: /tmp/ws-scm/rollup-template/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-template/node_modules/browser-sync/node_modules/qs/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.0.0.tgz (Root Library)
browser-sync-2.26.7.tgz
❌ qs-6.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Change files
Origin: ljharb/qs@c709f6e
Release Date: 2017-03-06
Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js
Step up your Open Source Security Game with WhiteSource here
WS-2019-0019 - Medium Severity Vulnerability
Vulnerable Library - braces-1.8.5.tgz
Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Path to dependency file: /tmp/ws-scm/rollup-template/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-template/node_modules/rollup-watch/node_modules/braces/package.json
Dependency Hierarchy:
rollup-watch-4.3.1.tgz (Root Library)
chokidar-1.7.0.tgz
anymatch-1.3.2.tgz
micromatch-2.3.11.tgz
❌ braces-1.8.5.tgz (Vulnerable Library)
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Vulnerability Details
Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2019-03-25
URL: WS-2019-0019
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/786
Release Date: 2019-02-21
Fix Resolution: 2.3.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8175 - Medium Severity Vulnerability
Vulnerable Libraries - jpeg-js-0.0.4.tgz , jpeg-js-0.3.7.tgz
jpeg-js-0.0.4.tgz
A pure javascript JPEG encoder and decoder
Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.0.4.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/save-pixels/node_modules/jpeg-js/package.json
Dependency Hierarchy:
rollup-plugin-sprite-0.1.2.tgz (Root Library)
spritesmith-3.4.0.tgz
pixelsmith-2.4.1.tgz
save-pixels-2.3.4.tgz
❌ jpeg-js-0.0.4.tgz (Vulnerable Library)
jpeg-js-0.3.7.tgz
A pure javascript JPEG encoder and decoder
Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/jpeg-js/package.json
Dependency Hierarchy:
rollup-plugin-sprite-0.1.2.tgz (Root Library)
spritesmith-3.4.0.tgz
pixelsmith-2.4.1.tgz
get-pixels-3.3.2.tgz
❌ jpeg-js-0.3.7.tgz (Vulnerable Library)
Found in HEAD commit: 1a7521989b3ada35de3a187c8efbbe5d6e48a0d5
Vulnerability Details
Uncontrolled resource consumption in jpeg-js
before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.
Publish Date: 2020-07-24
URL: CVE-2020-8175
CVSS 3 Score Details (5.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175
Release Date: 2020-07-21
Fix Resolution: 0.4.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19797 - Medium Severity Vulnerability
Vulnerable Libraries -
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797
Release Date: 2019-09-01
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-36048 - Medium Severity Vulnerability
Vulnerable Library - engine.io-3.2.1.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/engine.io/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.3.1.tgz (Root Library)
browser-sync-2.26.13.tgz
socket.io-2.1.1.tgz
❌ engine.io-3.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 898e8418a8a450b000b11efa00ec87aa949dbdc0
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (5.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution: engine.io - 4.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8116 - Medium Severity Vulnerability
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/dot-prop/package.json
Dependency Hierarchy:
stylelint-13.1.0.tgz (Root Library)
postcss-selector-parser-3.1.1.tgz
❌ dot-prop-4.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 2efbc5a4651c4d08607008d5fd1c727ed416b470
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-2.1.4.min.js , jquery-1.9.1.js
jquery-2.1.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/rollup-mpa/node_modules/js-base64/.attic/test-moment/index.html
Path to vulnerable library: /rollup-mpa/node_modules/js-base64/.attic/test-moment/index.html
Dependency Hierarchy:
❌ jquery-2.1.4.min.js (Vulnerable Library)
jquery-1.9.1.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js
Path to dependency file: /tmp/ws-scm/rollup-mpa/node_modules/tinycolor2/index.html
Path to vulnerable library: /rollup-mpa/node_modules/tinycolor2/demo/jquery-1.9.1.js,/rollup-mpa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js
Dependency Hierarchy:
❌ jquery-1.9.1.js (Vulnerable Library)
Found in HEAD commit: 1a7521989b3ada35de3a187c8efbbe5d6e48a0d5
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-20149 - Medium Severity Vulnerability
Vulnerable Libraries - kind-of-3.2.2.tgz , kind-of-4.0.0.tgz , kind-of-6.0.2.tgz , kind-of-5.1.0.tgz
kind-of-3.2.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/expand-range/node_modules/kind-of/package.json
Dependency Hierarchy:
rollup-watch-4.3.1.tgz (Root Library)
chokidar-1.7.0.tgz
anymatch-1.3.2.tgz
micromatch-2.3.11.tgz
braces-1.8.5.tgz
expand-range-1.8.2.tgz
fill-range-2.2.4.tgz
is-number-2.1.0.tgz
❌ kind-of-3.2.2.tgz (Vulnerable Library)
kind-of-4.0.0.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/has-values/node_modules/kind-of/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.1.0.tgz (Root Library)
browser-sync-2.26.7.tgz
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
has-value-1.0.0.tgz
has-values-1.0.0.tgz
❌ kind-of-4.0.0.tgz (Vulnerable Library)
kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/kind-of/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.1.0.tgz (Root Library)
browser-sync-2.26.7.tgz
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
kind-of-5.1.0.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/is-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.1.0.tgz (Root Library)
browser-sync-2.26.7.tgz
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
define-property-0.2.5.tgz
is-descriptor-0.1.6.tgz
❌ kind-of-5.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 2feed2f167cd6d8cd04e67b2cf150ba25b06d254
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7733 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: rollup-mpa/node_modules/ua-parser-js/package.json
Path to vulnerable library: rollup-mpa/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.3.1.tgz (Root Library)
browser-sync-2.26.12.tgz
❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in HEAD commit: 47d5e5050d0d9edbccbe99974ae2113b9ce289af
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733
Release Date: 2020-07-21
Fix Resolution: 0.7.22
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28275 - High Severity Vulnerability
Vulnerable Library - cache-base-1.0.1.tgz
Basic object cache with `get`, `set`, `del`, and `has` methods for node.js/javascript projects.
Library home page: https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz
Path to dependency file: rollup-mpa/package.json
Path to vulnerable library: rollup-mpa/node_modules/cache-base/package.json
Dependency Hierarchy:
rollup-plugin-sass-1.2.2.tgz (Root Library)
sass-1.7.2.tgz
chokidar-2.1.8.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
❌ cache-base-1.0.1.tgz (Vulnerable Library)
Found in HEAD commit: d5581a6824f15c5c10bab3c959444ee366e2b10a
Vulnerability Details
Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2020-11-07
URL: CVE-2020-28275
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7598 - High Severity Vulnerability
Vulnerable Libraries - minimist-0.0.8.tgz , minimist-1.1.3.tgz , minimist-0.0.10.tgz , minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/@jimp/core/node_modules/minimist/package.json
Dependency Hierarchy:
rollup-watch-4.3.1.tgz (Root Library)
chokidar-1.7.0.tgz
fsevents-1.2.11.tgz
node-pre-gyp-0.14.0.tgz
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.1.3.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.1.3.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/gonzales-pe/node_modules/minimist/package.json
Dependency Hierarchy:
stylelint-13.2.1.tgz (Root Library)
postcss-sass-0.4.2.tgz
gonzales-pe-4.2.4.tgz
❌ minimist-1.1.3.tgz (Vulnerable Library)
minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
rollup-plugin-sprite-0.1.2.tgz (Root Library)
spritesheet-templates-10.5.0.tgz
handlebars-4.7.3.tgz
optimist-0.6.1.tgz
❌ minimist-0.0.10.tgz (Vulnerable Library)
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
rollup-watch-4.3.1.tgz (Root Library)
chokidar-1.7.0.tgz
fsevents-1.2.11.tgz
node-pre-gyp-0.14.0.tgz
rc-1.2.8.tgz
❌ minimist-1.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 96d651fd11f7559661f94c1457e9ca386b77c0f0
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Step up your Open Source Security Game with WhiteSource here
CVE-2018-20822 - Medium Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20822
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822
Release Date: 2019-08-06
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2013-0340 - Medium Severity Vulnerability
Vulnerable Library - src73.0.3635.0
Library home page: https://chromium.googlesource.com/chromium/src
Found in HEAD commit: 4700f63f2bcadc0407501c3ab9dade76db010dd7
Library Source Files (51)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/expat_external.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xpathInternals.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/catalog.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/SAX.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/encoding.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlwriter.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/pattern.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/schematron.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/c14n.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xinclude.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/dict.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlmemory.h
/rollup-mpa/node_modules/sharp/vendor/include/webp/encode.h
/rollup-mpa/node_modules/sharp/vendor/include/webp/mux.h
/rollup-mpa/node_modules/sharp/vendor/include/expat.h
/rollup-mpa/node_modules/sharp/vendor/include/webp/demux.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/parserInternals.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlschemas.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlregexp.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/parser.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/webp/mux_types.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/schemasInternals.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/relaxng.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/webp/types.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlmodule.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/nanohttp.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlsave.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlunicode.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlschemastypes.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/DOCBparser.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/hash.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlstring.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/SAX2.h
/rollup-mpa/node_modules/sharp/vendor/include/libpng16/pngconf.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/uri.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlIO.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/valid.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/debugXML.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xpointer.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/chvalid.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/threads.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/HTMLparser.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xmlreader.h
/rollup-mpa/node_modules/sharp/vendor/include/libpng16/png.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/HTMLtree.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlautomata.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/nanoftp.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/xlink.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xmlerror.h
/rollup-mpa/node_modules/sharp/vendor/include/libxml2/libxml/xpath.h
/rollup-mpa/node_modules/create-pwa/node_modules/sharp/vendor/include/libxml2/libxml/list.h
Vulnerability Details
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
Publish Date: 2014-01-21
URL: CVE-2013-0340
CVSS 2 Score Details (6.8 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://security.gentoo.org/glsa/201701-21
Release Date: 2017-01-11
Fix Resolution: All Expat users should upgrade to the latest version >= expat-2.2.0-r1
Step up your Open Source Security Game with WhiteSource here
CVE-2019-6284 - Medium Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6284
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
Release Date: 2019-08-06
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19838 - Medium Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Publish Date: 2018-12-04
URL: CVE-2018-19838
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/sass/libsass/blob/3.6.0/src/ast.cpp
Release Date: 2019-07-01
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Libraries - yargs-parser-16.1.0.tgz , yargs-parser-10.1.0.tgz , yargs-parser-4.2.1.tgz , yargs-parser-5.0.0.tgz
yargs-parser-16.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-16.1.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/stylelint/node_modules/yargs-parser/package.json
Dependency Hierarchy:
stylelint-13.2.1.tgz (Root Library)
meow-6.0.1.tgz
❌ yargs-parser-16.1.0.tgz (Vulnerable Library)
yargs-parser-10.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/asset-resolver/node_modules/yargs-parser/package.json
Dependency Hierarchy:
critical-1.3.9.tgz (Root Library)
meow-5.0.0.tgz
❌ yargs-parser-10.1.0.tgz (Vulnerable Library)
yargs-parser-4.2.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-4.2.1.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/localtunnel/node_modules/yargs-parser/package.json
Dependency Hierarchy:
rollup-plugin-browsersync-1.1.0.tgz (Root Library)
browser-sync-2.26.7.tgz
yargs-6.4.0.tgz
❌ yargs-parser-4.2.1.tgz (Vulnerable Library)
yargs-parser-5.0.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-5.0.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/sass-graph/node_modules/yargs-parser/package.json
Dependency Hierarchy:
node-sass-4.13.1.tgz (Root Library)
sass-graph-2.2.4.tgz
yargs-7.1.0.tgz
❌ yargs-parser-5.0.0.tgz (Vulnerable Library)
Found in HEAD commit: d66c1373c8740c8ed5bdaaef68d32abdf60d9dcb
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto " payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: N/A
Attack Complexity: N/A
Privileges Required: N/A
User Interaction: N/A
Scope: N/A
Impact Metrics:
Confidentiality Impact: N/A
Integrity Impact: N/A
Availability Impact: N/A
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2018-11694 - High Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
CVSS 3 Score Details (8.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694
Release Date: 2018-06-04
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/lodash/package.json
Dependency Hierarchy:
core-7.10.5.tgz (Root Library)
❌ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: 2101715213c75bb0eb8c78bb7252f495435c65c5
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2018-11695 - High Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11695
CVSS 3 Score Details (8.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11695
Release Date: 2018-06-04
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8244 - High Severity Vulnerability
Vulnerable Library - bl-1.2.2.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/bl/package.json
Dependency Hierarchy:
optisize-1.1.0.tgz (Root Library)
imagemin-gifsicle-7.0.0.tgz
gifsicle-5.1.0.tgz
bin-build-3.0.0.tgz
decompress-4.2.1.tgz
decompress-tar-4.1.1.tgz
tar-stream-1.6.2.tgz
❌ bl-1.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 241654497f4de4385c1e3fc8ddf32e0201e1896d
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and <2.2.1 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-07-21
URL: CVE-2020-8244
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244
Release Date: 2020-07-21
Fix Resolution: 2.2.1,3.0.1,4.0.3
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7660 - Medium Severity Vulnerability
Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
rollup-plugin-uglify-6.0.4.tgz (Root Library)
❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 91b2386c94e95ddd2fbf5bfea26c32d019c8c300
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (5.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: N/A
Attack Complexity: N/A
Privileges Required: N/A
User Interaction: N/A
Scope: N/A
Impact Metrics:
Confidentiality Impact: N/A
Integrity Impact: N/A
Availability Impact: N/A
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-16769 - Medium Severity Vulnerability
Vulnerable Library - serialize-javascript-1.9.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
rollup-plugin-uglify-6.0.3.tgz (Root Library)
❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)
Found in HEAD commit: 5b4bb19a40130dc4e9c7071f03eb45fb1f7ef3c0
Vulnerability Details
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution: v2.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2020-0044 - High Severity Vulnerability
Vulnerable Library - decompress-4.2.0.tgz
Extracting archives made easy
Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json
Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/decompress/package.json
Dependency Hierarchy:
optisize-1.0.0.tgz (Root Library)
imagemin-gifsicle-6.0.1.tgz
gifsicle-4.0.1.tgz
bin-build-3.0.0.tgz
❌ decompress-4.2.0.tgz (Vulnerable Library)
Found in HEAD commit: e5e893ff6a37be725e089d46c286e7b3c8da12f0
Vulnerability Details
decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.
Publish Date: 2020-03-08
URL: WS-2020-0044
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19826 - Medium Severity Vulnerability
Vulnerable Library - node-sassv4.11.0
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (4)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/binding.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.cpp
Vulnerability Details
** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.
Publish Date: 2018-12-03
URL: CVE-2018-19826
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Change files
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19826
Release Date: 2019-09-01
Fix Resolution: Replace or update the following file: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19827 - High Severity Vulnerability
Vulnerable Libraries -
Vulnerability Details
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
CVSS 3 Score Details (8.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: sass/libsass#2784
Release Date: 2019-08-29
Fix Resolution: LibSass - 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-6286 - Medium Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693 .
Publish Date: 2019-01-14
URL: CVE-2019-6286
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286
Release Date: 2019-08-06
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-6283 - Medium Severity Vulnerability
Vulnerable Library - opennmsopennms-source-23.0.0-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 21f4d8bd6e162974567acc06a90cd5e2714f18e4
Library Source Files (62)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
/rollup-template/node_modules/node-sass/src/libsass/src/expand.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/expand.cpp
/rollup-template/node_modules/node-sass/src/sass_types/factory.cpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.hpp
/rollup-template/node_modules/node-sass/src/sass_types/value.h
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.hpp
/rollup-template/node_modules/node-sass/src/callback_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/file.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/operation.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/operators.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.hpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/parser.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/constants.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/util.cpp
/rollup-template/node_modules/node-sass/src/custom_function_bridge.cpp
/rollup-template/node_modules/node-sass/src/custom_importer_bridge.h
/rollup-template/node_modules/node-sass/src/libsass/src/bind.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/eval.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/backtrace.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/extend.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.h
/rollup-template/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
/rollup-template/node_modules/node-sass/src/libsass/src/error_handling.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/debugger.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/emitter.cpp
/rollup-template/node_modules/node-sass/src/sass_types/number.cpp
/rollup-template/node_modules/node-sass/src/sass_types/color.h
/rollup-template/node_modules/node-sass/src/libsass/src/sass_values.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/output.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.cpp
/rollup-template/node_modules/node-sass/src/sass_types/null.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/functions.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/cssize.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_c.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/inspect.hpp
/rollup-template/node_modules/node-sass/src/sass_types/color.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/values.cpp
/rollup-template/node_modules/node-sass/src/sass_context_wrapper.cpp
/rollup-template/node_modules/node-sass/src/sass_types/list.h
/rollup-template/node_modules/node-sass/src/libsass/src/check_nesting.hpp
/rollup-template/node_modules/node-sass/src/sass_types/map.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/to_value.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.cpp
/rollup-template/node_modules/node-sass/src/sass_types/string.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/sass_context.cpp
/rollup-template/node_modules/node-sass/src/libsass/src/prelexer.hpp
/rollup-template/node_modules/node-sass/src/libsass/src/context.hpp
/rollup-template/node_modules/node-sass/src/sass_types/boolean.h
/rollup-template/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
Release Date: 2019-08-06
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here