Coder Social home page Coder Social logo

wistex / raconteur Goto Github PK

View Code? Open in Web Editor NEW
4.0 1.0 0.0 108.02 MB

Build your own website, community, and audience without giving up control. A fediverse server designed for content creators compatible with ActivityPub, Zot, Nomad, and OpenWebAuth.

License: MIT License

Shell 1.21% PHP 66.30% JavaScript 18.09% Makefile 0.01% HTML 5.67% CSS 2.30% Less 0.16% Gherkin 0.01% Clojure 0.02% Python 0.23% Smarty 5.99%
activitypub activitypub-server nomad-protocol openwebauth streams zot

raconteur's Introduction

Raconteur

Raconteur: "a person who is skilled in relating stories and anecdotes interestingly."

Build your own website, community, and audience without giving up control. An open source fediverse server designed for content and community websites.

Content & Community Fediverse Server

Raconteur, also known as WisTex Raconteur, is a soft fork of Streams, an open source fediverse server with a long history of innovation. The core fediverse functionality of Raconteur comes from Streams, and this project is kept in sync with the Streams repository (one way only).

This fork is specifically modified to cater to content creators and those that want to create a community around content.

Compatible with ActivityPub, Zot6, Nomad, and OpenWebAuth (Magic Sign-On).

Current Status

We just created this repository, and at this point, it is mostly just Streams. We will be adding new themes, addons, and widgets to it soon.

Project

We are still setting everything up, but for the time being, here is the relevant information:

Federation

Communications Protocols

  • ActivityPub - works with Streams, Mastodon, PeerTube, Pixelfed, WisTex Catalyst, and many other platforms.
  • Nomad - works with Streams, WisTex Catalyst, and others.
  • Zot6 - works with Hubzilla.

Federated Single Sign-On

  • OpenWebAuth - works with Streams, Hubzilla, WisTex Catalyst, and others.

Credits

The base fediverse functionality of Raconteur comes from Streams, which can be found at: https://codeberg.org/streams/streams

Check the licenses folder for additional projects, such as Bootstrap and Neuhub, that were used to build Raconteur.

License

This project is licensed under the MIT License (Expat Version). See the LICENSE file for the full text of the license.

Copyright © 2023 WisTex TechSero Ltd. Co. All rights reserved. Usage subject to license terms.

The above copyright notice and the MIT License permission notice shall be included in all copies or substantial portions of the Software.

raconteur's People

Contributors

abinoam avatar anaqreon avatar annando avatar beardyunixer avatar catoth avatar cvogeley avatar dawnbreak avatar dentm42 avatar duthied avatar einervonvielen avatar fabrixxm avatar friendika avatar git-marijus avatar haakonme avatar habeascodice avatar macgirvin avatar micmee avatar mrjive avatar oohlaf avatar phellmes avatar philip-wittamore avatar redmatrix avatar socialatm avatar solstag avatar tobiasd avatar tomtom84 avatar treer avatar wistex avatar xm74 avatar zzottel avatar

Stargazers

avatar avatar avatar

Watchers

avatar

raconteur's Issues

jquery-1.4.2.js: 3 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - jquery-1.4.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.js

Path to dependency file: /library/jquery.i18n/examples/index.html

Path to vulnerable library: /library/jquery.i18n/examples/jquery-1.4.2.js,/library/jquery.i18n/examples/jquery-1.4.2.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-7656 Medium 6.1 jquery-1.4.2.js Direct jquery - 1.9.0
CVE-2012-6708 Medium 6.1 jquery-1.4.2.js Direct jQuery - v1.9.0
CVE-2011-4969 Low 3.7 jquery-1.4.2.js Direct 1.6.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-7656

Vulnerable Library - jquery-1.4.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.js

Path to dependency file: /library/jquery.i18n/examples/index.html

Path to vulnerable library: /library/jquery.i18n/examples/jquery-1.4.2.js,/library/jquery.i18n/examples/jquery-1.4.2.js

Dependency Hierarchy:

  • jquery-1.4.2.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with Mend here

CVE-2012-6708

Vulnerable Library - jquery-1.4.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.js

Path to dependency file: /library/jquery.i18n/examples/index.html

Path to vulnerable library: /library/jquery.i18n/examples/jquery-1.4.2.js,/library/jquery.i18n/examples/jquery-1.4.2.js

Dependency Hierarchy:

  • jquery-1.4.2.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with Mend here

CVE-2011-4969

Vulnerable Library - jquery-1.4.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.js

Path to dependency file: /library/jquery.i18n/examples/index.html

Path to vulnerable library: /library/jquery.i18n/examples/jquery-1.4.2.js,/library/jquery.i18n/examples/jquery-1.4.2.js

Dependency Hierarchy:

  • jquery-1.4.2.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Step up your Open Source Security Game with Mend here

forkawesome/fork-awesome-1.2: 1 vulnerabilities (highest severity is: 3.7)

Vulnerable Library - forkawesome/fork-awesome-1.2

A fork of the iconic font and CSS framework

Library home page: https://api.github.com/repos/ForkAwesome/Fork-Awesome/zipball/1e3849530d0266ece3a883649e1398414b92241d

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (forkawesome/fork-awesome version) Remediation Possible**
CVE-2012-6550 Low 3.7 forkawesome/fork-awesome-1.2 Direct zeroclipboard - 1.2.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2012-6550

Vulnerable Library - forkawesome/fork-awesome-1.2

A fork of the iconic font and CSS framework

Library home page: https://api.github.com/repos/ForkAwesome/Fork-Awesome/zipball/1e3849530d0266ece3a883649e1398414b92241d

Dependency Hierarchy:

  • forkawesome/fork-awesome-1.2 (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross-site scripting (XSS) vulnerability in ZeroClipboard before 1.1.4 allows remote attackers to inject arbitrary web script or HTML via "the clipText returned from the flash object," a different vulnerability than CVE-2013-1808.

Publish Date: 2013-04-02

URL: CVE-2012-6550

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6550

Release Date: 2013-03-28

Fix Resolution: zeroclipboard - 1.2.2

Step up your Open Source Security Game with Mend here

phpseclib/phpseclib-2.0.41: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - phpseclib/phpseclib-2.0.41

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

Library home page: https://api.github.com/repos/phpseclib/phpseclib/zipball/7e763c6f97ec1fcb37c46aa8ecfc20a2c71d9c1b

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (phpseclib/phpseclib version) Remediation Possible**
CVE-2024-27354 High 7.5 phpseclib/phpseclib-2.0.41 Direct 1.0.23,2.0.47,3.0.36
CVE-2024-27355 Medium 6.5 phpseclib/phpseclib-2.0.41 Direct 1.0.23,2.0.47,3.0.36

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-27354

Vulnerable Library - phpseclib/phpseclib-2.0.41

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

Library home page: https://api.github.com/repos/phpseclib/phpseclib/zipball/7e763c6f97ec1fcb37c46aa8ecfc20a2c71d9c1b

Dependency Hierarchy:

  • phpseclib/phpseclib-2.0.41 (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue was introduced when attempting to fix CVE-2023-27560.

Publish Date: 2024-03-01

URL: CVE-2024-27354

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-27354

Release Date: 2024-03-01

Fix Resolution: 1.0.23,2.0.47,3.0.36

Step up your Open Source Security Game with Mend here

CVE-2024-27355

Vulnerable Library - phpseclib/phpseclib-2.0.41

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

Library home page: https://api.github.com/repos/phpseclib/phpseclib/zipball/7e763c6f97ec1fcb37c46aa8ecfc20a2c71d9c1b

Dependency Hierarchy:

  • phpseclib/phpseclib-2.0.41 (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).

Publish Date: 2024-03-01

URL: CVE-2024-27355

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-27355

Release Date: 2024-03-01

Fix Resolution: 1.0.23,2.0.47,3.0.36

Step up your Open Source Security Game with Mend here

jquery-3.3.1.min.js: 4 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-23064 Medium 6.1 jquery-3.3.1.min.js Direct jquery - 3.5.0
CVE-2020-11023 Medium 6.1 jquery-3.3.1.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-3.3.1.min.js Direct jQuery - 3.5.0
CVE-2019-11358 Medium 6.1 jquery-3.3.1.min.js Direct jquery - 3.4.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-23064

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.

Publish Date: 2023-06-26

URL: CVE-2020-23064

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2023-06-26

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2020-11023

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

jquery-1.3.2.min.js: 5 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to vulnerable library: /library/jquery_ac/jquery-1.3.2.min.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-7656 Medium 6.1 jquery-1.3.2.min.js Direct jquery - 1.9.0
CVE-2019-11358 Medium 6.1 jquery-1.3.2.min.js Direct jquery - 3.4.0
CVE-2015-9251 Medium 6.1 jquery-1.3.2.min.js Direct jQuery - 3.0.0
CVE-2012-6708 Medium 6.1 jquery-1.3.2.min.js Direct jQuery - v1.9.0
CVE-2011-4969 Low 3.7 jquery-1.3.2.min.js Direct 1.6.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-7656

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to vulnerable library: /library/jquery_ac/jquery-1.3.2.min.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to vulnerable library: /library/jquery_ac/jquery-1.3.2.min.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to vulnerable library: /library/jquery_ac/jquery-1.3.2.min.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2012-6708

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to vulnerable library: /library/jquery_ac/jquery-1.3.2.min.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with Mend here

CVE-2011-4969

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to vulnerable library: /library/jquery_ac/jquery-1.3.2.min.js

Dependency Hierarchy:

  • jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Step up your Open Source Security Game with Mend here

bootstrap-3.0.0.min.js: 6 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - bootstrap-3.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.0/js/bootstrap.min.js

Path to dependency file: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bootstrap version) Remediation Possible**
CVE-2019-8331 Medium 6.1 bootstrap-3.0.0.min.js Direct bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-20677 Medium 6.1 bootstrap-3.0.0.min.js Direct Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
CVE-2018-20676 Medium 6.1 bootstrap-3.0.0.min.js Direct bootstrap - 3.4.0
CVE-2018-14042 Medium 6.1 bootstrap-3.0.0.min.js Direct org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2016-10735 Medium 6.1 bootstrap-3.0.0.min.js Direct bootstrap - 3.4.0, 4.0.0-beta.2
CVE-2018-14040 Low 3.7 bootstrap-3.0.0.min.js Direct org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-8331

Vulnerable Library - bootstrap-3.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.0/js/bootstrap.min.js

Path to dependency file: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Dependency Hierarchy:

  • bootstrap-3.0.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

CVE-2018-20677

Vulnerable Library - bootstrap-3.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.0/js/bootstrap.min.js

Path to dependency file: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Dependency Hierarchy:

  • bootstrap-3.0.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-20676

Vulnerable Library - bootstrap-3.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.0/js/bootstrap.min.js

Path to dependency file: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Dependency Hierarchy:

  • bootstrap-3.0.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2018-14042

Vulnerable Library - bootstrap-3.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.0/js/bootstrap.min.js

Path to dependency file: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Dependency Hierarchy:

  • bootstrap-3.0.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

CVE-2016-10735

Vulnerable Library - bootstrap-3.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.0/js/bootstrap.min.js

Path to dependency file: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Dependency Hierarchy:

  • bootstrap-3.0.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Step up your Open Source Security Game with Mend here

CVE-2018-14040

Vulnerable Library - bootstrap-3.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.0/js/bootstrap.min.js

Path to dependency file: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/test/glyphicons.html

Dependency Hierarchy:

  • bootstrap-3.0.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

blueimp/jquery-file-upload-v10.32.0: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - blueimp/jquery-file-upload-v10.32.0

File Upload widget for jQuery.

Library home page: https://api.github.com/repos/vkhramtsov/jQuery-File-Upload/zipball/20f6c4a07a6fbff22d79228c893eb1746d2d8962

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (blueimp/jquery-file-upload-v10.32.0 version) Remediation Possible**
CVE-2018-9206 Critical 9.8 blueimp/jquery-file-upload-v10.32.0 Direct 9.22.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-9206

Vulnerable Library - blueimp/jquery-file-upload-v10.32.0

File Upload widget for jQuery.

Library home page: https://api.github.com/repos/vkhramtsov/jQuery-File-Upload/zipball/20f6c4a07a6fbff22d79228c893eb1746d2d8962

Dependency Hierarchy:

  • blueimp/jquery-file-upload-v10.32.0 (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

Publish Date: 2018-10-11

URL: CVE-2018-9206

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206

Release Date: 2018-10-11

Fix Resolution: 9.22.1

Step up your Open Source Security Game with Mend here

bootstrap-3.3.7.min.js: 6 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bootstrap version) Remediation Possible**
CVE-2019-8331 Medium 6.1 bootstrap-3.3.7.min.js Direct bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-20677 Medium 6.1 bootstrap-3.3.7.min.js Direct Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
CVE-2018-20676 Medium 6.1 bootstrap-3.3.7.min.js Direct bootstrap - 3.4.0
CVE-2018-14042 Medium 6.1 bootstrap-3.3.7.min.js Direct org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2016-10735 Medium 6.1 bootstrap-3.3.7.min.js Direct bootstrap - 3.4.0, 4.0.0-beta.2
CVE-2018-14040 Low 3.7 bootstrap-3.3.7.min.js Direct org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-8331

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

CVE-2018-20677

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-20676

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2018-14042

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

CVE-2016-10735

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Step up your Open Source Security Game with Mend here

CVE-2018-14040

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to dependency file: /library/jgrowl/examples/bootstrap.html

Path to vulnerable library: /library/jgrowl/examples/bootstrap.html

Dependency Hierarchy:

  • bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

smarty/smarty-v4.3.0: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - smarty/smarty-v4.3.0

Smarty - the compiling PHP template engine

Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/c02e9e135ea719b91f457a0072748ded0e852e7d

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (smarty/smarty-v4.3.0 version) Remediation Possible**
CVE-2023-28447 Medium 6.1 smarty/smarty-v4.3.0 Direct v3.1.48,v4.3.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-28447

Vulnerable Library - smarty/smarty-v4.3.0

Smarty - the compiling PHP template engine

Library home page: https://api.github.com/repos/smarty-php/smarty/zipball/c02e9e135ea719b91f457a0072748ded0e852e7d

Dependency Hierarchy:

  • smarty/smarty-v4.3.0 (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.

Publish Date: 2023-03-28

URL: CVE-2023-28447

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7j98-h7fp-4vwj

Release Date: 2023-03-28

Fix Resolution: v3.1.48,v4.3.1

Step up your Open Source Security Game with Mend here

jquery-3.1.1.slim.min.js: 2 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-3.1.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.slim.min.js

Path to dependency file: /library/cropperjs/examples/cropper-in-modal.html

Path to vulnerable library: /library/cropperjs/examples/cropper-in-modal.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-11023 Medium 6.1 jquery-3.1.1.slim.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2019-11358 Medium 6.1 jquery-3.1.1.slim.min.js Direct jquery - 3.4.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11023

Vulnerable Library - jquery-3.1.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.slim.min.js

Path to dependency file: /library/cropperjs/examples/cropper-in-modal.html

Path to vulnerable library: /library/cropperjs/examples/cropper-in-modal.html

Dependency Hierarchy:

  • jquery-3.1.1.slim.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-3.1.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.slim.min.js

Path to dependency file: /library/cropperjs/examples/cropper-in-modal.html

Path to vulnerable library: /library/cropperjs/examples/cropper-in-modal.html

Dependency Hierarchy:

  • jquery-3.1.1.slim.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

mocha-7.1.1.js: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - mocha-7.1.1.js

simple, flexible, fun test framework

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mocha/7.1.1/mocha.js

Path to dependency file: /vendor/blueimp/jquery-file-upload/test/index.html

Path to vulnerable library: /vendor/blueimp/jquery-file-upload/test/vendor/mocha.js,/vendor/blueimp/jquery-file-upload/test/vendor/mocha.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mocha version) Remediation Possible**
WS-2021-0638 High 7.5 mocha-7.1.1.js Direct mocha - 10.1.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2021-0638

Vulnerable Library - mocha-7.1.1.js

simple, flexible, fun test framework

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mocha/7.1.1/mocha.js

Path to dependency file: /vendor/blueimp/jquery-file-upload/test/index.html

Path to vulnerable library: /vendor/blueimp/jquery-file-upload/test/vendor/mocha.js,/vendor/blueimp/jquery-file-upload/test/vendor/mocha.js

Dependency Hierarchy:

  • mocha-7.1.1.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.

Publish Date: 2021-09-18

URL: WS-2021-0638

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-18

Fix Resolution: mocha - 10.1.0

Step up your Open Source Security Game with Mend here

jquery-1.7.1.min.js: 5 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to vulnerable library: /library/epub-meta/assets/js/jquery-1.7.1.min.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-7656 Medium 6.1 jquery-1.7.1.min.js Direct jquery - 1.9.0
CVE-2020-11023 Medium 6.1 jquery-1.7.1.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-1.7.1.min.js Direct jQuery - 3.5.0
CVE-2015-9251 Medium 6.1 jquery-1.7.1.min.js Direct jQuery - 3.0.0
CVE-2012-6708 Medium 6.1 jquery-1.7.1.min.js Direct jQuery - v1.9.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-7656

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to vulnerable library: /library/epub-meta/assets/js/jquery-1.7.1.min.js

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with Mend here

CVE-2020-11023

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to vulnerable library: /library/epub-meta/assets/js/jquery-1.7.1.min.js

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to vulnerable library: /library/epub-meta/assets/js/jquery-1.7.1.min.js

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to vulnerable library: /library/epub-meta/assets/js/jquery-1.7.1.min.js

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2012-6708

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to vulnerable library: /library/epub-meta/assets/js/jquery-1.7.1.min.js

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with Mend here

jquery-3.4.1.min.js: 3 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /view/js/jquery.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-23064 Medium 6.1 jquery-3.4.1.min.js Direct jquery - 3.5.0
CVE-2020-11023 Medium 6.1 jquery-3.4.1.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-3.4.1.min.js Direct jQuery - 3.5.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-23064

Vulnerable Library - jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /view/js/jquery.js

Dependency Hierarchy:

  • jquery-3.4.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.

Publish Date: 2023-06-26

URL: CVE-2020-23064

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2023-06-26

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2020-11023

Vulnerable Library - jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /view/js/jquery.js

Dependency Hierarchy:

  • jquery-3.4.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to vulnerable library: /view/js/jquery.js

Dependency Hierarchy:

  • jquery-3.4.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

moment-2.13.0.min.js: 4 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to vulnerable library: /library/moment/moment.min.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (moment version) Remediation Possible**
CVE-2022-31129 High 7.5 moment-2.13.0.min.js Direct moment - 2.29.4
CVE-2022-24785 High 7.5 moment-2.13.0.min.js Direct moment - 2.29.2
CVE-2017-18214 High 7.5 moment-2.13.0.min.js Direct moment - 2.19.3
WS-2016-0075 Medium 5.3 moment-2.13.0.min.js Direct moment - 2.15.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-31129

Vulnerable Library - moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to vulnerable library: /library/moment/moment.min.js

Dependency Hierarchy:

  • moment-2.13.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

Step up your Open Source Security Game with Mend here

CVE-2022-24785

Vulnerable Library - moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to vulnerable library: /library/moment/moment.min.js

Dependency Hierarchy:

  • moment-2.13.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution: moment - 2.29.2

Step up your Open Source Security Game with Mend here

CVE-2017-18214

Vulnerable Library - moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to vulnerable library: /library/moment/moment.min.js

Dependency Hierarchy:

  • moment-2.13.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-446m-mv8f-q348

Release Date: 2018-03-04

Fix Resolution: moment - 2.19.3

Step up your Open Source Security Game with Mend here

WS-2016-0075

Vulnerable Library - moment-2.13.0.min.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.min.js

Path to vulnerable library: /library/moment/moment.min.js

Dependency Hierarchy:

  • moment-2.13.0.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-10-24

Fix Resolution: moment - 2.15.2

Step up your Open Source Security Game with Mend here

jquery-3.2.1.slim.min.js: 2 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-3.2.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.slim.min.js

Path to dependency file: /library/cropperjs/docs/index.html

Path to vulnerable library: /library/cropperjs/docs/index.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-11023 Medium 6.1 jquery-3.2.1.slim.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2019-11358 Medium 6.1 jquery-3.2.1.slim.min.js Direct jquery - 3.4.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11023

Vulnerable Library - jquery-3.2.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.slim.min.js

Path to dependency file: /library/cropperjs/docs/index.html

Path to vulnerable library: /library/cropperjs/docs/index.html

Dependency Hierarchy:

  • jquery-3.2.1.slim.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-3.2.1.slim.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.slim.min.js

Path to dependency file: /library/cropperjs/docs/index.html

Path to vulnerable library: /library/cropperjs/docs/index.html

Dependency Hierarchy:

  • jquery-3.2.1.slim.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

bootstrap-4.0.0-alpha.6.min.js: 2 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - bootstrap-4.0.0-alpha.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha.6/js/bootstrap.min.js

Path to dependency file: /library/cropperjs/examples/cropper-in-modal.html

Path to vulnerable library: /library/cropperjs/examples/cropper-in-modal.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bootstrap version) Remediation Possible**
CVE-2019-8331 Medium 6.1 bootstrap-4.0.0-alpha.6.min.js Direct bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2016-10735 Medium 6.1 bootstrap-4.0.0-alpha.6.min.js Direct bootstrap - 3.4.0, 4.0.0-beta.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-8331

Vulnerable Library - bootstrap-4.0.0-alpha.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha.6/js/bootstrap.min.js

Path to dependency file: /library/cropperjs/examples/cropper-in-modal.html

Path to vulnerable library: /library/cropperjs/examples/cropper-in-modal.html

Dependency Hierarchy:

  • bootstrap-4.0.0-alpha.6.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

CVE-2016-10735

Vulnerable Library - bootstrap-4.0.0-alpha.6.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha.6/js/bootstrap.min.js

Path to dependency file: /library/cropperjs/examples/cropper-in-modal.html

Path to vulnerable library: /library/cropperjs/examples/cropper-in-modal.html

Dependency Hierarchy:

  • bootstrap-4.0.0-alpha.6.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Step up your Open Source Security Game with Mend here

jquery-1.4.2.min.js: 4 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - jquery-1.4.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js

Path to dependency file: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Path to vulnerable library: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-7656 Medium 6.1 jquery-1.4.2.min.js Direct jquery - 1.9.0
CVE-2015-9251 Medium 6.1 jquery-1.4.2.min.js Direct jQuery - 3.0.0
CVE-2012-6708 Medium 6.1 jquery-1.4.2.min.js Direct jQuery - v1.9.0
CVE-2011-4969 Low 3.7 jquery-1.4.2.min.js Direct 1.6.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-7656

Vulnerable Library - jquery-1.4.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js

Path to dependency file: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Path to vulnerable library: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Dependency Hierarchy:

  • jquery-1.4.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251

Vulnerable Library - jquery-1.4.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js

Path to dependency file: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Path to vulnerable library: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Dependency Hierarchy:

  • jquery-1.4.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2012-6708

Vulnerable Library - jquery-1.4.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js

Path to dependency file: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Path to vulnerable library: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Dependency Hierarchy:

  • jquery-1.4.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with Mend here

CVE-2011-4969

Vulnerable Library - jquery-1.4.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js

Path to dependency file: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Path to vulnerable library: /library/jquery.AreYouSure/demo/are-you-sure-demo.html

Dependency Hierarchy:

  • jquery-1.4.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Step up your Open Source Security Game with Mend here

ZeroClipboard-1.1.7.min.js: 1 vulnerabilities (highest severity is: 3.7)

Vulnerable Library - ZeroClipboard-1.1.7.min.js

The ZeroClipboard library provides an easy way to copy text to the clipboard using an invisible Adobe Flash movie and a JavaScript interface.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/zeroclipboard/1.1.7/ZeroClipboard.min.js

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/assets/js/ZeroClipboard-1.1.7.min.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ZeroClipboard version) Remediation Possible**
CVE-2012-6550 Low 3.7 ZeroClipboard-1.1.7.min.js Direct zeroclipboard - 1.2.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2012-6550

Vulnerable Library - ZeroClipboard-1.1.7.min.js

The ZeroClipboard library provides an easy way to copy text to the clipboard using an invisible Adobe Flash movie and a JavaScript interface.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/zeroclipboard/1.1.7/ZeroClipboard.min.js

Path to vulnerable library: /vendor/forkawesome/fork-awesome/src/doc/assets/js/ZeroClipboard-1.1.7.min.js

Dependency Hierarchy:

  • ZeroClipboard-1.1.7.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross-site scripting (XSS) vulnerability in ZeroClipboard before 1.1.4 allows remote attackers to inject arbitrary web script or HTML via "the clipText returned from the flash object," a different vulnerability than CVE-2013-1808.
Mend Note: Converted from WS-2017-0139, on 2022-11-08.

Publish Date: 2013-04-02

URL: CVE-2012-6550

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6550

Release Date: 2013-03-28

Fix Resolution: zeroclipboard - 1.2.2

Step up your Open Source Security Game with Mend here

jquery-2.1.1.min.js: 4 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /library/jRange/demo/index.html

Path to vulnerable library: /library/jRange/demo/index.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-11023 Medium 6.1 jquery-2.1.1.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-2.1.1.min.js Direct jQuery - 3.5.0
CVE-2019-11358 Medium 6.1 jquery-2.1.1.min.js Direct jquery - 3.4.0
CVE-2015-9251 Medium 6.1 jquery-2.1.1.min.js Direct jQuery - 3.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11023

Vulnerable Library - jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /library/jRange/demo/index.html

Path to vulnerable library: /library/jRange/demo/index.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /library/jRange/demo/index.html

Path to vulnerable library: /library/jRange/demo/index.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /library/jRange/demo/index.html

Path to vulnerable library: /library/jRange/demo/index.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251

Vulnerable Library - jquery-2.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js

Path to dependency file: /library/jRange/demo/index.html

Path to vulnerable library: /library/jRange/demo/index.html

Dependency Hierarchy:

  • jquery-2.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

bootstrap-3.0.2.min.js: 6 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - bootstrap-3.0.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.2/js/bootstrap.min.js

Path to dependency file: /library/bootstrap-colorpicker/src/footer.html

Path to vulnerable library: /library/bootstrap-colorpicker/src/footer.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bootstrap version) Remediation Possible**
CVE-2019-8331 Medium 6.1 bootstrap-3.0.2.min.js Direct bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-20677 Medium 6.1 bootstrap-3.0.2.min.js Direct Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
CVE-2018-20676 Medium 6.1 bootstrap-3.0.2.min.js Direct bootstrap - 3.4.0
CVE-2018-14042 Medium 6.1 bootstrap-3.0.2.min.js Direct org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2016-10735 Medium 6.1 bootstrap-3.0.2.min.js Direct bootstrap - 3.4.0, 4.0.0-beta.2
CVE-2018-14040 Low 3.7 bootstrap-3.0.2.min.js Direct org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-8331

Vulnerable Library - bootstrap-3.0.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.2/js/bootstrap.min.js

Path to dependency file: /library/bootstrap-colorpicker/src/footer.html

Path to vulnerable library: /library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • bootstrap-3.0.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

CVE-2018-20677

Vulnerable Library - bootstrap-3.0.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.2/js/bootstrap.min.js

Path to dependency file: /library/bootstrap-colorpicker/src/footer.html

Path to vulnerable library: /library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • bootstrap-3.0.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-20676

Vulnerable Library - bootstrap-3.0.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.2/js/bootstrap.min.js

Path to dependency file: /library/bootstrap-colorpicker/src/footer.html

Path to vulnerable library: /library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • bootstrap-3.0.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2018-14042

Vulnerable Library - bootstrap-3.0.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.2/js/bootstrap.min.js

Path to dependency file: /library/bootstrap-colorpicker/src/footer.html

Path to vulnerable library: /library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • bootstrap-3.0.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

CVE-2016-10735

Vulnerable Library - bootstrap-3.0.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.2/js/bootstrap.min.js

Path to dependency file: /library/bootstrap-colorpicker/src/footer.html

Path to vulnerable library: /library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • bootstrap-3.0.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Step up your Open Source Security Game with Mend here

CVE-2018-14040

Vulnerable Library - bootstrap-3.0.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.0.2/js/bootstrap.min.js

Path to dependency file: /library/bootstrap-colorpicker/src/footer.html

Path to vulnerable library: /library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • bootstrap-3.0.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

jquery-3.3.1.tgz: 3 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /library/jgrowl/package.json

Path to vulnerable library: /library/jgrowl/node_modules/jquery/package.json

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-23064 Medium 6.1 jquery-3.3.1.tgz Direct 3.5.0
CVE-2020-11023 Medium 6.1 jquery-3.3.1.tgz Direct 3.5.0
CVE-2020-11022 Medium 6.1 jquery-3.3.1.tgz Direct 3.5.0
CVE-2019-11358 Medium 6.1 jquery-3.3.1.tgz Direct 3.4.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-23064

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /library/jgrowl/package.json

Path to vulnerable library: /library/jgrowl/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.

Publish Date: 2023-06-26

URL: CVE-2020-23064

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2023-06-26

Fix Resolution: 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2020-11023

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /library/jgrowl/package.json

Path to vulnerable library: /library/jgrowl/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /library/jgrowl/package.json

Path to vulnerable library: /library/jgrowl/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /library/jgrowl/package.json

Path to vulnerable library: /library/jgrowl/node_modules/jquery/package.json

Dependency Hierarchy:

  • jquery-3.3.1.tgz (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with Mend here

jquery-1.10.2.min.js: 4 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-1.10.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js

Path to dependency file: /library/colorbox/example2/index.html

Path to vulnerable library: /library/colorbox/example2/index.html,/library/colorbox/example1/index.html,/library/colorbox/example3/index.html,/library/colorbox/example5/index.html,/library/colorbox/example4/index.html,/library/bootstrap-colorpicker/src/footer.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-11023 Medium 6.1 jquery-1.10.2.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-1.10.2.min.js Direct jQuery - 3.5.0
CVE-2019-11358 Medium 6.1 jquery-1.10.2.min.js Direct jquery - 3.4.0
CVE-2015-9251 Medium 6.1 jquery-1.10.2.min.js Direct jQuery - 3.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11023

Vulnerable Library - jquery-1.10.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js

Path to dependency file: /library/colorbox/example2/index.html

Path to vulnerable library: /library/colorbox/example2/index.html,/library/colorbox/example1/index.html,/library/colorbox/example3/index.html,/library/colorbox/example5/index.html,/library/colorbox/example4/index.html,/library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • jquery-1.10.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-1.10.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js

Path to dependency file: /library/colorbox/example2/index.html

Path to vulnerable library: /library/colorbox/example2/index.html,/library/colorbox/example1/index.html,/library/colorbox/example3/index.html,/library/colorbox/example5/index.html,/library/colorbox/example4/index.html,/library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • jquery-1.10.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-1.10.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js

Path to dependency file: /library/colorbox/example2/index.html

Path to vulnerable library: /library/colorbox/example2/index.html,/library/colorbox/example1/index.html,/library/colorbox/example3/index.html,/library/colorbox/example5/index.html,/library/colorbox/example4/index.html,/library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • jquery-1.10.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251

Vulnerable Library - jquery-1.10.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js

Path to dependency file: /library/colorbox/example2/index.html

Path to vulnerable library: /library/colorbox/example2/index.html,/library/colorbox/example1/index.html,/library/colorbox/example3/index.html,/library/colorbox/example5/index.html,/library/colorbox/example4/index.html,/library/bootstrap-colorpicker/src/footer.html

Dependency Hierarchy:

  • jquery-1.10.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

jquery-1.12.4.min.js: 4 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Path to vulnerable library: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-11023 Medium 6.1 jquery-1.12.4.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-1.12.4.min.js Direct jQuery - 3.5.0
CVE-2019-11358 Medium 6.1 jquery-1.12.4.min.js Direct jquery - 3.4.0
CVE-2015-9251 Medium 6.1 jquery-1.12.4.min.js Direct jQuery - 3.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11023

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Path to vulnerable library: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Dependency Hierarchy:

  • jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Path to vulnerable library: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Dependency Hierarchy:

  • jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Path to vulnerable library: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Dependency Hierarchy:

  • jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Path to vulnerable library: /vendor/blueimp/jquery-file-upload/cors/postmessage.html

Dependency Hierarchy:

  • jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

jquery-1.8.2.min.js: 6 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /library/swipe/docs/tutorial-Pinch_and_Swipe.html

Path to vulnerable library: /library/swipe/docs/tutorial-Pinch_and_Swipe.html,/library/swipe/demos/Thresholds.html

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible**
CVE-2020-7656 Medium 6.1 jquery-1.8.2.min.js Direct jquery - 1.9.0
CVE-2020-11023 Medium 6.1 jquery-1.8.2.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-1.8.2.min.js Direct jQuery - 3.5.0
CVE-2019-11358 Medium 6.1 jquery-1.8.2.min.js Direct jquery - 3.4.0
CVE-2015-9251 Medium 6.1 jquery-1.8.2.min.js Direct jQuery - 3.0.0
CVE-2012-6708 Medium 6.1 jquery-1.8.2.min.js Direct jQuery - v1.9.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-7656

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /library/swipe/docs/tutorial-Pinch_and_Swipe.html

Path to vulnerable library: /library/swipe/docs/tutorial-Pinch_and_Swipe.html,/library/swipe/demos/Thresholds.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with Mend here

CVE-2020-11023

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /library/swipe/docs/tutorial-Pinch_and_Swipe.html

Path to vulnerable library: /library/swipe/docs/tutorial-Pinch_and_Swipe.html,/library/swipe/demos/Thresholds.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /library/swipe/docs/tutorial-Pinch_and_Swipe.html

Path to vulnerable library: /library/swipe/docs/tutorial-Pinch_and_Swipe.html,/library/swipe/demos/Thresholds.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /library/swipe/docs/tutorial-Pinch_and_Swipe.html

Path to vulnerable library: /library/swipe/docs/tutorial-Pinch_and_Swipe.html,/library/swipe/demos/Thresholds.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /library/swipe/docs/tutorial-Pinch_and_Swipe.html

Path to vulnerable library: /library/swipe/docs/tutorial-Pinch_and_Swipe.html,/library/swipe/demos/Thresholds.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2012-6708

Vulnerable Library - jquery-1.8.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.2/jquery.min.js

Path to dependency file: /library/swipe/docs/tutorial-Pinch_and_Swipe.html

Path to vulnerable library: /library/swipe/docs/tutorial-Pinch_and_Swipe.html,/library/swipe/demos/Thresholds.html

Dependency Hierarchy:

  • jquery-1.8.2.min.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with Mend here

moment-2.13.0.js: 4 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - moment-2.13.0.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.js

Path to vulnerable library: /library/moment/moment.js

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (moment version) Remediation Possible**
CVE-2022-31129 High 7.5 moment-2.13.0.js Direct moment - 2.29.4
CVE-2022-24785 High 7.5 moment-2.13.0.js Direct moment - 2.29.2
CVE-2017-18214 High 7.5 moment-2.13.0.js Direct moment - 2.19.3
WS-2016-0075 Medium 5.3 moment-2.13.0.js Direct moment - 2.15.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-31129

Vulnerable Library - moment-2.13.0.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.js

Path to vulnerable library: /library/moment/moment.js

Dependency Hierarchy:

  • moment-2.13.0.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

Step up your Open Source Security Game with Mend here

CVE-2022-24785

Vulnerable Library - moment-2.13.0.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.js

Path to vulnerable library: /library/moment/moment.js

Dependency Hierarchy:

  • moment-2.13.0.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution: moment - 2.29.2

Step up your Open Source Security Game with Mend here

CVE-2017-18214

Vulnerable Library - moment-2.13.0.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.js

Path to vulnerable library: /library/moment/moment.js

Dependency Hierarchy:

  • moment-2.13.0.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-446m-mv8f-q348

Release Date: 2018-03-04

Fix Resolution: moment - 2.19.3

Step up your Open Source Security Game with Mend here

WS-2016-0075

Vulnerable Library - moment-2.13.0.js

Parse, validate, manipulate, and display dates

Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.13.0/moment.js

Path to vulnerable library: /library/moment/moment.js

Dependency Hierarchy:

  • moment-2.13.0.js (Vulnerable Library)

Found in HEAD commit: ad06856b39153f425da332dea44087d7b4bf93ce

Found in base branch: raconteur

Vulnerability Details

Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.

Publish Date: 2016-10-24

URL: WS-2016-0075

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-10-24

Fix Resolution: moment - 2.15.2

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.