View Code? Open in Web Editor
NEW
This Particular example demonstrates how you can sync payment refunds from Stripe into Zendesk Sunshine via Webhook API.
Home Page: https://uniquelyparticular.com
License: MIT License
sync-stripe-to-zendesk's People
Stargazers
sync-stripe-to-zendesk's Issues
CVE-2019-20922 - High Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: d973f96bd29bcbe9be6ee18971a529d5bd973ffb
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Publish Date: 2020-09-30
URL: CVE-2019-20922
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-10-07
Fix Resolution: handlebars - 4.4.5
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/lodash/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
❌ lodash-4.17.11.tgz (Vulnerable Library)
Found in HEAD commit: 2b87b1eb6e22e5acaaadba80b3d852e76e42147b
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-10-21
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
CVE-2019-13173 - High Severity Vulnerability
Vulnerable Library - fstream-1.0.11.tgz
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/fstream/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
node-gyp-3.8.0.tgz
❌ fstream-1.0.11.tgz (Vulnerable Library)
Found in HEAD commit: c16b02f38691152d0b1f3b0133c92164b9af5a7c
Vulnerability Details
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Publish Date: 2019-07-02
URL: CVE-2019-13173
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173
Release Date: 2019-07-02
Fix Resolution: 1.0.12
Step up your Open Source Security Game with WhiteSource here
WS-2019-0047 - Medium Severity Vulnerability
Vulnerable Library - tar-2.2.1.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/git/sync-stripe-to-zendesk/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json
Dependency Hierarchy:
semantic-release-15.13.3.tgz (Root Library)
npm-5.1.6.tgz
npm-6.9.0.tgz
node-gyp-3.8.0.tgz
❌ tar-2.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 1d7462db42aff8576f5bf4cc5c0ec543f8ecf48c
Vulnerability Details
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Publish Date: 2019-04-05
URL: WS-2019-0047
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/803
Release Date: 2019-04-05
Fix Resolution: 4.4.2
Step up your Open Source Security Game with WhiteSource here
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 9e27cb6f56b78a2b53b3671a65fdd9b080d89b7f
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/lodash/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
❌ lodash-4.17.11.tgz (Vulnerable Library)
Found in HEAD commit: ee15db06840503609423cfc38bd16a4489442543
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
WS-2019-0331 - Medium Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 3e7abf486f7e55b3c48d47ce7e81077ff5fcd0bc
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-13
URL: WS-2019-0331
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.2
Step up your Open Source Security Game with WhiteSource here
WS-2019-0209 - Medium Severity Vulnerability
Vulnerable Library - marked-0.6.2.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/marked/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
❌ marked-0.6.2.tgz (Vulnerable Library)
Found in HEAD commit: 9e27cb6f56b78a2b53b3671a65fdd9b080d89b7f
Vulnerability Details
marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.
Publish Date: 2019-07-04
URL: WS-2019-0209
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1076
Release Date: 2019-09-05
Fix Resolution: 0.7.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0491 - High Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: d973f96bd29bcbe9be6ee18971a529d5bd973ffb
Vulnerability Details
handlebars before 4.4.5 is vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.
Publish Date: 2019-11-04
URL: WS-2019-0491
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2019-11-04
Fix Resolution: handlebars - 4.4.5
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 9e27cb6f56b78a2b53b3671a65fdd9b080d89b7f
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-20834 - High Severity Vulnerability
Vulnerable Library - tar-2.2.1.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
node-gyp-3.8.0.tgz
❌ tar-2.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 8fd5a92bce10e731397e958b6dd988a8896e700b
Vulnerability Details
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834
Release Date: 2019-04-30
Fix Resolution: tar - 2.2.2,4.4.2
Step up your Open Source Security Game with WhiteSource here
WS-2019-0063 - High Severity Vulnerability
Vulnerable Library - js-yaml-3.13.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz
Path to dependency file: /sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/git/sync-stripe-to-zendesk/node_modules/js-yaml/package.json
Dependency Hierarchy:
husky-2.4.0.tgz (Root Library)
cosmiconfig-5.2.0.tgz
❌ js-yaml-3.13.1.tgz (Vulnerable Library)
Found in HEAD commit: 9bf823de3a1103f81b43f1ec709b60174f75ef50
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-30
URL: WS-2019-0063
CVSS 2 Score Details (8.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-30
Fix Resolution: 3.13.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-8116 - High Severity Vulnerability
Vulnerable Libraries - dot-prop-4.2.0.tgz , dot-prop-3.0.0.tgz
dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/dot-prop/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
update-notifier-2.5.0.tgz
configstore-3.1.2.tgz
❌ dot-prop-4.2.0.tgz (Vulnerable Library)
dot-prop-3.0.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/dot-prop/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
commit-analyzer-6.2.0.tgz
conventional-changelog-angular-5.0.3.tgz
compare-func-1.3.2.tgz
❌ dot-prop-3.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 15e19e3b93504ecec10de9795468a6feb3fbf97a
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2019-16777 - Medium Severity Vulnerability
Vulnerable Library - npm-6.9.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
❌ npm-6.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 30480e820ede5e69748f350c3f0e86fa42e434f8
Vulnerability Details
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16777
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: npm - 6.13.4
Step up your Open Source Security Game with WhiteSource here
CVE-2019-16775 - Medium Severity Vulnerability
Vulnerable Library - npm-6.9.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
❌ npm-6.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 30480e820ede5e69748f350c3f0e86fa42e434f8
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16775
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: npm - 6.13.3;yarn - 1.21.1
Step up your Open Source Security Game with WhiteSource here
CVE-2019-19919 - High Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: f7c9c6e14269f2c03c1289ca7211f5a81275d63c
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-12-20
URL: CVE-2019-19919
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1164
Release Date: 2019-12-20
Fix Resolution: 4.3.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0318 - High Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 3e7abf486f7e55b3c48d47ce7e81077ff5fcd0bc
Vulnerability Details
In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.
Publish Date: 2019-10-20
URL: WS-2019-0318
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2019-12-01
Fix Resolution: handlebars - 4.4.5
Step up your Open Source Security Game with WhiteSource here
CVE-2019-10747 - High Severity Vulnerability
Vulnerable Libraries - set-value-0.4.3.tgz , set-value-2.0.0.tgz
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
micro-dev-3.0.0.tgz (Root Library)
chokidar-2.0.3.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
union-value-1.0.0.tgz
❌ set-value-0.4.3.tgz (Vulnerable Library)
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/set-value/package.json
Dependency Hierarchy:
micro-dev-3.0.0.tgz (Root Library)
chokidar-2.0.3.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 29859e823cb593b21a51ec86e7735d452cd14789
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/set-value@95e9d99
Release Date: 2019-07-24
Fix Resolution: 2.0.1,3.0.1
Step up your Open Source Security Game with WhiteSource here
WS-2016-0090 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: /sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 9e27cb6f56b78a2b53b3671a65fdd9b080d89b7f
Vulnerability Details
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
CVSS 2 Score Details (4.3 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0291 - High Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: d45a3848498ec1b3f1428887f01cc4c0fc3a717f
Vulnerability Details
handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-10-06
URL: WS-2019-0291
CVSS 2 Score Details (7.3 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1164
Release Date: 2019-10-06
Fix Resolution: 4.3.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0333 - High Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 3e7abf486f7e55b3c48d47ce7e81077ff5fcd0bc
Vulnerability Details
In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.
Publish Date: 2019-11-18
URL: WS-2019-0333
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
WS-2020-0068 - High Severity Vulnerability
Vulnerable Libraries - yargs-parser-10.1.0.tgz , yargs-parser-9.0.2.tgz , yargs-parser-13.1.1.tgz
yargs-parser-10.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/ts-jest/node_modules/yargs-parser/package.json
Dependency Hierarchy:
ts-jest-24.0.2.tgz (Root Library)
❌ yargs-parser-10.1.0.tgz (Vulnerable Library)
yargs-parser-9.0.2.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/npm/node_modules/yargs-parser/package.json
Dependency Hierarchy:
micro-dev-3.0.0.tgz (Root Library)
jsome-2.5.0.tgz
yargs-11.1.0.tgz
❌ yargs-parser-9.0.2.tgz (Vulnerable Library)
yargs-parser-13.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/semantic-release/node_modules/yargs-parser/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
yargs-13.2.4.tgz
❌ yargs-parser-13.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 86ddfd59497042952b1c9e84ded2c97de2c53e7d
Vulnerability Details
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto .bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Adjacent
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 2b87b1eb6e22e5acaaadba80b3d852e76e42147b
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0337 - Medium Severity Vulnerability
Vulnerable Library - bin-links-1.1.2.tgz
JavaScript package binary linker
Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/bin-links/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
❌ bin-links-1.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 30480e820ede5e69748f350c3f0e86fa42e434f8
Vulnerability Details
Arbitrary File Write vulnerability found in bin-links before 1.1.5. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system.
Publish Date: 2019-12-11
URL: WS-2019-0337
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: npm/bin-links@642cd18
Release Date: 2019-12-17
Fix Resolution: bin-links - 1.1.5
Step up your Open Source Security Game with WhiteSource here
CVE-2019-20149 - High Severity Vulnerability
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/kind-of/package.json
Dependency Hierarchy:
jest-24.8.0.tgz (Root Library)
jest-cli-24.8.0.tgz
core-24.8.0.tgz
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
Found in HEAD commit: f7c9c6e14269f2c03c1289ca7211f5a81275d63c
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution: 6.0.3
Step up your Open Source Security Game with WhiteSource here
CVE-2019-16776 - High Severity Vulnerability
Vulnerable Library - npm-6.9.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
❌ npm-6.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 30480e820ede5e69748f350c3f0e86fa42e434f8
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16776
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: npm - 6.13.3;yarn - 1.21.1
Step up your Open Source Security Game with WhiteSource here
WS-2020-0042 - High Severity Vulnerability
Vulnerable Libraries - acorn-6.1.1.tgz , acorn-5.7.3.tgz
acorn-6.1.1.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.1.1.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/acorn-globals/node_modules/acorn/package.json
Dependency Hierarchy:
jest-24.8.0.tgz (Root Library)
jest-cli-24.8.0.tgz
jest-config-24.8.0.tgz
jest-environment-jsdom-24.8.0.tgz
jsdom-11.12.0.tgz
acorn-globals-4.3.2.tgz
❌ acorn-6.1.1.tgz (Vulnerable Library)
acorn-5.7.3.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/acorn/package.json
Dependency Hierarchy:
jest-24.8.0.tgz (Root Library)
jest-cli-24.8.0.tgz
jest-config-24.8.0.tgz
jest-environment-jsdom-24.8.0.tgz
jsdom-11.12.0.tgz
❌ acorn-5.7.3.tgz (Vulnerable Library)
Found in HEAD commit: c455789b66d2278272d86c74f0d4b5970aee52d1
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-08
Fix Resolution: 7.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2019-0332 - Medium Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 3e7abf486f7e55b3c48d47ce7e81077ff5fcd0bc
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-11-17
URL: WS-2019-0332
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
CVE-2019-20920 - High Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: d973f96bd29bcbe9be6ee18971a529d5bd973ffb
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2020-10-15
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
WS-2019-0310 - High Severity Vulnerability
Vulnerable Library - https-proxy-agent-2.2.1.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/https-proxy-agent/package.json,sync-stripe-to-zendesk/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
github-5.4.0.tgz
❌ https-proxy-agent-2.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 3e7abf486f7e55b3c48d47ce7e81077ff5fcd0bc
Vulnerability Details
"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-10-07
URL: WS-2019-0310
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-12-01
Fix Resolution: https-proxy-agent - 2.2.3
Step up your Open Source Security Game with WhiteSource here
WS-2019-0307 - Medium Severity Vulnerability
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/mem/package.json,sync-stripe-to-zendesk/node_modules/jsome/node_modules/mem/package.json
Dependency Hierarchy:
micro-dev-3.0.0.tgz (Root Library)
jsome-2.5.0.tgz
yargs-11.1.0.tgz
os-locale-2.1.0.tgz
❌ mem-1.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 3e7abf486f7e55b3c48d47ce7e81077ff5fcd0bc
Vulnerability Details
In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.
Publish Date: 2018-08-27
URL: WS-2019-0307
CVSS 3 Score Details (5.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1084
Release Date: 2019-12-01
Fix Resolution: mem - 4.0.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0369 - Medium Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: f7c9c6e14269f2c03c1289ca7211f5a81275d63c
Vulnerability Details
Prototype Pollution vulnerability found in handlebars.js before 4.5.3. Attacker may use Remote-Code-Execution exploits.
Publish Date: 2020-01-08
URL: WS-2019-0369
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019
Release Date: 2020-01-08
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
WS-2020-0127 - Low Severity Vulnerability
Vulnerable Library - npm-registry-fetch-3.9.0.tgz
Fetch-based http client for use with npm registry APIs
Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-3.9.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/npm-registry-fetch/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
❌ npm-registry-fetch-3.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 2b87b1eb6e22e5acaaadba80b3d852e76e42147b
Vulnerability Details
npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.
Publish Date: 2020-07-07
URL: WS-2020-0127
CVSS 3 Score Details (3.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: N/A
Attack Complexity: N/A
Privileges Required: N/A
User Interaction: N/A
Scope: N/A
Impact Metrics:
Confidentiality Impact: N/A
Integrity Impact: N/A
Availability Impact: N/A
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1544
Release Date: 2020-07-14
Fix Resolution: npm-registry-fetch - 4.0.5,8.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2019-0368 - Low Severity Vulnerability
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/handlebars/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: f7c9c6e14269f2c03c1289ca7211f5a81275d63c
Vulnerability Details
Security vulnerability found in handlebars.js before 4.3.0.
Publish Date: 2020-01-08
URL: WS-2019-0368
CVSS 2 Score Details (3.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: handlebars-lang/handlebars.js@2078c72
Release Date: 2020-01-08
Fix Resolution: handlebars - 4.3.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-15366 - Medium Severity Vulnerability
Vulnerable Libraries - ajv-6.10.0.tgz , ajv-5.5.2.tgz
ajv-6.10.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/ajv/package.json
Dependency Hierarchy:
jest-24.8.0.tgz (Root Library)
jest-cli-24.8.0.tgz
jest-config-24.8.0.tgz
jest-environment-jsdom-24.8.0.tgz
jsdom-11.12.0.tgz
request-2.88.0.tgz
har-validator-5.1.3.tgz
❌ ajv-6.10.0.tgz (Vulnerable Library)
ajv-5.5.2.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/ajv/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
request-2.88.0.tgz
har-validator-5.1.0.tgz
❌ ajv-5.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 2b87b1eb6e22e5acaaadba80b3d852e76e42147b
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
Release Date: 2020-07-15
Fix Resolution: ajv - 6.12.3
Step up your Open Source Security Game with WhiteSource here
WS-2019-0339 - High Severity Vulnerability
Vulnerable Library - bin-links-1.1.2.tgz
JavaScript package binary linker
Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/bin-links/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
❌ bin-links-1.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 30480e820ede5e69748f350c3f0e86fa42e434f8
Vulnerability Details
In bin-links, versions prior to v1.1.6 are vulnerable to a Global 'node_modules' Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs.
Publish Date: 2019-12-11
URL: WS-2019-0339
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: npm/bin-links@642cd18
Release Date: 2019-12-17
Fix Resolution: bin-links - 1.1.6
Step up your Open Source Security Game with WhiteSource here
CVE-2019-10746 - High Severity Vulnerability
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/mixin-deep/package.json
Dependency Hierarchy:
micro-dev-3.0.0.tgz (Root Library)
chokidar-2.0.3.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 39be44c3f0097654226e6d86dbd94845c13c0c4f
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Libraries - minimist-0.0.8.tgz , minimist-0.0.10.tgz , minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/mkdirp/node_modules/minimist/package.json,sync-stripe-to-zendesk/node_modules/npm/node_modules/minimist/package.json
Dependency Hierarchy:
ts-jest-24.0.2.tgz (Root Library)
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
release-notes-generator-7.2.0.tgz
conventional-changelog-writer-4.0.3.tgz
handlebars-4.1.2.tgz
optimist-0.6.1.tgz
❌ minimist-0.0.10.tgz (Vulnerable Library)
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/rc/node_modules/minimist/package.json,sync-stripe-to-zendesk/node_modules/minimist/package.json
Dependency Hierarchy:
ts-jest-24.0.2.tgz (Root Library)
json5-2.1.0.tgz
❌ minimist-1.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 519e0a5370a49a8355c9765faf3bab2e776c6be9
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
WS-2019-0338 - High Severity Vulnerability
Vulnerable Library - bin-links-1.1.2.tgz
JavaScript package binary linker
Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/bin-links/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
❌ bin-links-1.1.2.tgz (Vulnerable Library)
Found in HEAD commit: 30480e820ede5e69748f350c3f0e86fa42e434f8
Vulnerability Details
In bin-links, versions prior to v1.1.5 are vulnerable to a Symlink reference outside of 'node_modules' directory. An attacker can access unauthorized files.
Publish Date: 2019-12-10
URL: WS-2019-0338
CVSS 3 Score Details (8.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: npm/bin-links@b3cfd2e
Release Date: 2019-12-17
Fix Resolution: bin-links - 1.1.5
Step up your Open Source Security Game with WhiteSource here
WS-2020-0163 - Medium Severity Vulnerability
Vulnerable Library - marked-0.6.2.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.6.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/marked/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
❌ marked-0.6.2.tgz (Vulnerable Library)
Found in HEAD commit: d973f96bd29bcbe9be6ee18971a529d5bd973ffb
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1
Release Date: 2020-07-02
Fix Resolution: marked - 1.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2018-0236 - Medium Severity Vulnerability
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/mem/package.json
Dependency Hierarchy:
micro-dev-3.0.0.tgz (Root Library)
jsome-2.5.0.tgz
yargs-11.1.0.tgz
os-locale-2.1.0.tgz
❌ mem-1.1.0.tgz (Vulnerable Library)
Found in HEAD commit: ad388275c9d5f5ab54a9b72f8b01393dba54f376
Vulnerability Details
In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.
Publish Date: 2018-08-27
URL: WS-2018-0236
CVSS 2 Score Details (5.5 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744
Release Date: 2019-05-30
Fix Resolution: 4.0.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0381 - Medium Severity Vulnerability
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/ws-scm/sync-stripe-to-zendesk/node_modules/kind-of/package.json
Dependency Hierarchy:
jest-24.8.0.tgz (Root Library)
jest-cli-24.8.0.tgz
core-24.8.0.tgz
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
Found in HEAD commit: 519e0a5370a49a8355c9765faf3bab2e776c6be9
Vulnerability Details
Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.
Publish Date: 2019-12-30
URL: WS-2019-0381
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/kind-of@975c13a
Release Date: 2020-03-18
Fix Resolution: kind-of - 6.0.3
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 9581f8e491ff551139ed2b43f8eefcb4bce50314
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-28
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with WhiteSource here
WS-2019-0100 - Medium Severity Vulnerability
Vulnerable Library - fstream-1.0.11.tgz
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz
Path to dependency file: /sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/git/sync-stripe-to-zendesk/node_modules/npm/node_modules/fstream/package.json
Dependency Hierarchy:
semantic-release-15.13.14.tgz (Root Library)
npm-5.1.7.tgz
npm-6.9.0.tgz
node-gyp-3.8.0.tgz
❌ fstream-1.0.11.tgz (Vulnerable Library)
Found in HEAD commit: 327f2b24a9aa8ad16190a628d5a541de3e2617af
Vulnerability Details
Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.
Publish Date: 2019-05-23
URL: WS-2019-0100
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/886
Release Date: 2019-05-23
Fix Resolution: 1.0.12
Step up your Open Source Security Game with WhiteSource here
CVE-2020-15095 - Medium Severity Vulnerability
Vulnerable Library - npm-6.9.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
❌ npm-6.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 2b87b1eb6e22e5acaaadba80b3d852e76e42147b
Vulnerability Details
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Publish Date: 2020-07-07
URL: CVE-2020-15095
CVSS 3 Score Details (4.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: High
Privileges Required: Low
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-93f3-23rq-pjfp
Release Date: 2020-07-07
Fix Resolution: npm - 6.14.6
Step up your Open Source Security Game with WhiteSource here
CVE-2019-10744 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/lodash/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
❌ lodash-4.17.11.tgz (Vulnerable Library)
Found in HEAD commit: 39be44c3f0097654226e6d86dbd94845c13c0c4f
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-08
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 519e0a5370a49a8355c9765faf3bab2e776c6be9
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
WS-2020-0180 - High Severity Vulnerability
Vulnerable Library - npm-user-validate-1.0.0.tgz
User validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/npm-user-validate/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
npm-5.1.13.tgz
npm-6.9.0.tgz
❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)
Found in HEAD commit: d973f96bd29bcbe9be6ee18971a529d5bd973ffb
Vulnerability Details
The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.
Publish Date: 2020-10-16
URL: WS-2020-0180
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-xgh6-85xh-479p
Release Date: 2020-10-16
Fix Resolution: 1.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Libraries - yargs-parser-10.1.0.tgz , yargs-parser-9.0.2.tgz , yargs-parser-13.1.1.tgz , yargs-parser-11.1.1.tgz
yargs-parser-10.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/ts-jest/node_modules/yargs-parser/package.json
Dependency Hierarchy:
ts-jest-24.0.2.tgz (Root Library)
❌ yargs-parser-10.1.0.tgz (Vulnerable Library)
yargs-parser-9.0.2.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/npm/node_modules/yargs-parser/package.json,sync-stripe-to-zendesk/node_modules/jsome/node_modules/yargs-parser/package.json
Dependency Hierarchy:
micro-dev-3.0.0.tgz (Root Library)
jsome-2.5.0.tgz
yargs-11.1.0.tgz
❌ yargs-parser-9.0.2.tgz (Vulnerable Library)
yargs-parser-13.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/semantic-release/node_modules/yargs-parser/package.json
Dependency Hierarchy:
semantic-release-15.13.18.tgz (Root Library)
yargs-13.2.4.tgz
❌ yargs-parser-13.1.1.tgz (Vulnerable Library)
yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: sync-stripe-to-zendesk/package.json
Path to vulnerable library: sync-stripe-to-zendesk/node_modules/yargs-parser/package.json
Dependency Hierarchy:
jest-24.8.0.tgz (Root Library)
jest-cli-24.8.0.tgz
yargs-12.0.5.tgz
❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 519e0a5370a49a8355c9765faf3bab2e776c6be9
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto " payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: yargs/yargs-parser@63810ca
Release Date: 2020-06-05
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2019-0032 - Medium Severity Vulnerability
Vulnerable Library - js-yaml-3.12.2.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.2.tgz
Path to dependency file: /sync-stripe-to-zendesk/package.json
Path to vulnerable library: /tmp/git/sync-stripe-to-zendesk/node_modules/js-yaml/package.json
Dependency Hierarchy:
husky-1.3.1.tgz (Root Library)
cosmiconfig-5.1.0.tgz
❌ js-yaml-3.12.2.tgz (Vulnerable Library)
Found in HEAD commit: 9590aabeeffcf979bf65dd4fdc8e94b8605c1dfe
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-26
URL: WS-2019-0032
CVSS 2 Score Details (5.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-26
Fix Resolution: 3.13.0
Step up your Open Source Security Game with WhiteSource here