Coder Social home page Coder Social logo

homepages's Introduction

Hello fellow coder ๐Ÿ‘‹

My name is Ville Saarinen and I am a passionate programmer from Tampere, Finland.

Connect with me

LinkedIn

Instagram

Facebook


My tools

Visual Studio Code

Javascript

ReactJS

NodeJS

HTML

CSS

MongoDB

PostgreSQL

Docker


Spotify Playing

Now Playing
Now Playing
Top Tracks
Now Playing
Now Playing
Now Playing

GitHub Stats

Code Time

Profile Views

๐Ÿฑ My GitHub Data

๐Ÿ† 0 Contributions in the Year 2022

๐Ÿ“ฆ 49.3 kB Used in GitHub's Storage

๐Ÿ’ผ Opted to Hire

๐Ÿ“œ 11 Public Repositories

๐Ÿ”‘ 0 Private Repositories

I'm a Night ๐Ÿฆ‰

๐ŸŒž Morning    10 commits     โ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   10.0% 
๐ŸŒ† Daytime    20 commits     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   20.0% 
๐ŸŒƒ Evening    69 commits     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   69.0% 
๐ŸŒ™ Night      1 commits      โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   1.0%

๐Ÿ“… I'm Most Productive on Sunday

Monday       21 commits     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   21.0% 
Tuesday      6 commits      โ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   6.0% 
Wednesday    7 commits      โ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   7.0% 
Thursday     8 commits      โ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   8.0% 
Friday       8 commits      โ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   8.0% 
Saturday     22 commits     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   22.0% 
Sunday       28 commits     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   28.0%

๐Ÿ“Š This Week I Spent My Time On

โŒš๏ธŽ Time Zone: Europe/Helsinki

๐Ÿ’ฌ Programming Languages: 
No Activity Tracked This Week

๐Ÿ”ฅ Editors: 
No Activity Tracked This Week

๐Ÿฑโ€๐Ÿ’ป Projects: 
No Activity Tracked This Week

๐Ÿ’ป Operating System: 
No Activity Tracked This Week

I Mostly Code in JavaScript

JavaScript               5 repos             โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   50.0% 
C++                      3 repos             โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   30.0% 
HTML                     2 repos             โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   20.0%

Timeline

Chart not found

Last Updated on 08/11/2022 18:58:23 UTC

Recent GitHub Activity

  1. ๐Ÿ—ฃ Commented on #251 in vikidi/Homepages
  2. โ—๏ธ Opened issue #251 in vikidi/Homepages

homepages's People

Contributors

dependabot[bot] avatar depfu[bot] avatar imgbot[bot] avatar renovate-bot avatar renovate[bot] avatar snyk-bot avatar vikidi avatar

homepages's Issues

CVE-2020-7788 (High) detected in ini-1.3.5.tgz

CVE-2020-7788 - High Severity Vulnerability

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: Homepages/frontend/package.json

Path to vulnerable library: Homepages/backend/node_modules/ini/package.json,Homepages/backend/node_modules/ini/package.json

Dependency Hierarchy:

  • nodemon-2.0.6.tgz (Root Library)
    • update-notifier-4.1.3.tgz
      • is-installed-globally-0.3.2.tgz
        • global-dirs-2.0.1.tgz
          • โŒ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 48e05250483e35ea455ba9f67502dcf796bd30d0

Found in base branch: development

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Step up your Open Source Security Game with WhiteSource here

Setup server 2

Necessary services, node server, nginx load balancing

CVE-2020-7778 (High) detected in systeminformation-4.27.10.tgz

CVE-2020-7778 - High Severity Vulnerability

Vulnerable Library - systeminformation-4.27.10.tgz

Simple system and OS information library

Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-4.27.10.tgz

Path to dependency file: Homepages/backend/package.json

Path to vulnerable library: Homepages/backend/node_modules/systeminformation/package.json

Dependency Hierarchy:

  • pm2-4.5.0.tgz (Root Library)
    • โŒ systeminformation-4.27.10.tgz (Vulnerable Library)

Found in HEAD commit: 80166356aa0e030e23cc42ba905dcf7ff5580aa3

Found in base branch: development

Vulnerability Details

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.

Publish Date: 2020-11-26

URL: CVE-2020-7778

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sebhildebrandt/systeminformation/releases/tag/v4.30.2

Release Date: 2020-11-26

Fix Resolution: systeminformation - 4.30.2

Step up your Open Source Security Game with WhiteSource here

VPN connection

Setup VPN connection to home network and remove ssh port forwarding from router

CVE-2020-7752 (High) detected in systeminformation-4.27.10.tgz

CVE-2020-7752 - High Severity Vulnerability

Vulnerable Library - systeminformation-4.27.10.tgz

Simple system and OS information library

Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-4.27.10.tgz

Path to dependency file: Homepages/backend/package.json

Path to vulnerable library: Homepages/backend/node_modules/systeminformation/package.json

Dependency Hierarchy:

  • pm2-4.5.0.tgz (Root Library)
    • โŒ systeminformation-4.27.10.tgz (Vulnerable Library)

Found in HEAD commit: 48e05250483e35ea455ba9f67502dcf796bd30d0

Found in base branch: development

Vulnerability Details

This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.

Publish Date: 2020-10-26

URL: CVE-2020-7752

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7752

Release Date: 2020-07-21

Fix Resolution: 4.27.11

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28275 (High) detected in cache-base-1.0.1.tgz - autoclosed

CVE-2020-28275 - High Severity Vulnerability

Vulnerable Library - cache-base-1.0.1.tgz

Basic object cache with `get`, `set`, `del`, and `has` methods for node.js/javascript projects.

Library home page: https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz

Path to dependency file: Homepages/backend/package.json

Path to vulnerable library: Homepages/frontend/node_modules/cache-base/package.json,Homepages/frontend/node_modules/cache-base/package.json

Dependency Hierarchy:

  • jest-extended-0.11.5.tgz (Root Library)
    • expect-24.9.0.tgz
      • jest-message-util-24.9.0.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • โŒ cache-base-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 214af511883fd353ea76f6b49c7a9248dea265c2

Found in base branch: development

Vulnerability Details

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-11-07

URL: CVE-2020-28275

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-26274 (High) detected in systeminformation-4.27.10.tgz

CVE-2020-26274 - High Severity Vulnerability

Vulnerable Library - systeminformation-4.27.10.tgz

Simple system and OS information library

Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-4.27.10.tgz

Path to dependency file: Homepages/backend/package.json

Path to vulnerable library: Homepages/backend/node_modules/systeminformation/package.json

Dependency Hierarchy:

  • pm2-4.5.0.tgz (Root Library)
    • โŒ systeminformation-4.27.10.tgz (Vulnerable Library)

Found in HEAD commit: d3a9d4b0bed7bbeb60f36f223b68aaecdbbdf11f

Found in base branch: development

Vulnerability Details

In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix.

Publish Date: 2020-12-16

URL: CVE-2020-26274

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/systeminformation/v/4.31.0

Release Date: 2020-12-16

Fix Resolution: 4.31.1

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

CVE-2020-28477 (High) detected in immer-7.0.9.tgz

CVE-2020-28477 - High Severity Vulnerability

Vulnerable Library - immer-7.0.9.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-7.0.9.tgz

Path to dependency file: Homepages/frontend/package.json

Path to vulnerable library: Homepages/frontend/node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-4.0.1.tgz (Root Library)
    • react-dev-utils-11.0.1.tgz
      • โŒ immer-7.0.9.tgz (Vulnerable Library)

Found in HEAD commit: f9f4922486e283772c1e146187157a7097ba1542

Found in base branch: development

Vulnerability Details

This affects all versions of package immer.

Publish Date: 2021-01-19

URL: CVE-2020-28477

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/immerjs/immer/releases/tag/v8.0.1

Release Date: 2021-01-19

Fix Resolution: v8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7789 (Medium) detected in node-notifier-8.0.0.tgz

CVE-2020-7789 - Medium Severity Vulnerability

Vulnerable Library - node-notifier-8.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.0.tgz

Path to dependency file: Homepages/frontend/package.json

Path to vulnerable library: Homepages/frontend/node_modules/node-notifier/package.json,Homepages/frontend/node_modules/node-notifier/package.json

Dependency Hierarchy:

  • jest-26.6.3.tgz (Root Library)
    • core-26.6.3.tgz
      • reporters-26.6.2.tgz
        • โŒ node-notifier-8.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 48e05250483e35ea455ba9f67502dcf796bd30d0

Found in base branch: development

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Step up your Open Source Security Game with WhiteSource here

Deliver images in next-gen format

Consider delivering images in formats like WebP, JPEG 2000, and JPEG XR as they can provide better compression than PNG or JPEG, which can reduce the page weight, load time, and save server resources.

Switch from HashRouter to BrowserRouter

Setup backend server to accept this. The server does not understand what to do when frontend router tries to access some other route than "/" (frontend production build route)

Add alt tag to images

Informative elements should aim for short, descriptive alternate text. Decorative elements can be ignored with an empty alt attribute.

CVE-2020-35149 (Medium) detected in mquery-3.2.2.tgz

CVE-2020-35149 - Medium Severity Vulnerability

Vulnerable Library - mquery-3.2.2.tgz

Expressive query building for MongoDB

Library home page: https://registry.npmjs.org/mquery/-/mquery-3.2.2.tgz

Path to dependency file: Homepages/backend/package.json

Path to vulnerable library: Homepages/backend/node_modules/mquery/package.json

Dependency Hierarchy:

  • mongoose-5.10.8.tgz (Root Library)
    • โŒ mquery-3.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 80166356aa0e030e23cc42ba905dcf7ff5580aa3

Found in base branch: development

Vulnerability Details

lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., proto) can be copied during a merge or clone operation.

Publish Date: 2020-12-11

URL: CVE-2020-35149

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/aheckmann/mquery/releases/tag/3.2.3

Release Date: 2020-12-11

Fix Resolution: 3.2.3

Step up your Open Source Security Game with WhiteSource here

Url shortener bug

CNAME bug propably in cloudflare settings. Domain name without www won't get directed.

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: Homepages/frontend/package.json

Path to vulnerable library: Homepages/frontend/node_modules/y18n/package.json,Homepages/frontend/node_modules/y18n/package.json

Dependency Hierarchy:

  • react-scripts-4.0.1.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • yargs-13.3.2.tgz
        • โŒ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 48e05250483e35ea455ba9f67502dcf796bd30d0

Found in base branch: development

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

Step up your Open Source Security Game with WhiteSource here

CVE-2020-26245 (High) detected in systeminformation-4.27.10.tgz

CVE-2020-26245 - High Severity Vulnerability

Vulnerable Library - systeminformation-4.27.10.tgz

Simple system and OS information library

Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-4.27.10.tgz

Path to dependency file: Homepages/backend/package.json

Path to vulnerable library: Homepages/backend/node_modules/systeminformation/package.json

Dependency Hierarchy:

  • pm2-4.5.0.tgz (Root Library)
    • โŒ systeminformation-4.27.10.tgz (Vulnerable Library)

Found in HEAD commit: 80166356aa0e030e23cc42ba905dcf7ff5580aa3

Found in base branch: development

Vulnerability Details

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

Publish Date: 2020-11-27

URL: CVE-2020-26245

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4v2w-h9jm-mqjg

Release Date: 2020-11-27

Fix Resolution: v4.30.5

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28168 (Medium) detected in axios-0.19.2.tgz

CVE-2020-28168 - Medium Severity Vulnerability

Vulnerable Library - axios-0.19.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz

Path to dependency file: Homepages/package.json

Path to vulnerable library: Homepages/node_modules/axios/package.json,Homepages/node_modules/axios/package.json

Dependency Hierarchy:

  • pm2-4.5.0.tgz (Root Library)
    • js-api-0.6.0.tgz
      • โŒ axios-0.19.2.tgz (Vulnerable Library)

Found in HEAD commit: 48e05250483e35ea455ba9f67502dcf796bd30d0

Found in base branch: development

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: axios/axios@c7329fe

Release Date: 2020-11-06

Fix Resolution: axios - 0.21.1

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.