An ASP.NET web application that responsible of detecting and reporting vulnerabilities in android applications by static and dynamic analysis methodologies.
License: GNU Lesser General Public License v2.1
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js,/droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/codec/
Path to vulnerable library: /AndroShield/apkanalyzer/lib/commons-codec-1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-07
URL: WS-2009-0001
CVSS 2 Score Details (0.0)
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bcprov-jdk15on-1.56.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /AndroShield/apkanalyzer/lib/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Publish Date: 2018-07-09
URL: CVE-2018-1000613
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000613
Release Date: 2018-07-09
Fix Resolution: 1.60
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - guava-22.0.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava
Path to vulnerable library: /apkanalyzer/lib/guava-22.0.jar
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: 30.0-android
Step up your Open Source Security Game with Mend here
Vulnerable Library - jquery-3.2.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/jquery.min.js,/droidbot-master/droidbot/resources/stylesheets/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-compress-1.12.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: http://commons.apache.org/proper/commons-compress/
Path to vulnerable library: /AndroShield/apkanalyzer/lib/commons-compress-1.12.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-08-16
URL: CVE-2018-11771
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11771
Release Date: 2019-04-08
Fix Resolution: 1.18
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js,/droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.56.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /AndroShield/apkanalyzer/lib/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Publish Date: 2018-06-05
URL: CVE-2018-1000180
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: bcgit/bc-java@22467b6
Release Date: 2018-04-22
Fix Resolution: Replace or update the following file: RSAKeyPairGenerator.java
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-3.2.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/jquery.min.js,/droidbot-master/droidbot/resources/stylesheets/jquery.min.js
Dependency Hierarchy:
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js,/droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jython-standalone-2.5.3.jarJython is an implementation of the high-level, dynamic, object-oriented language Python written in 100% Pure Java, and seamlessly integrated with the Java platform. It thus allows you to run Python on any Java platform.
Library home page: http://www.jython.org/
Path to vulnerable library: /AndroShield/apkanalyzer/lib/jython-standalone-2.5.3.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.
Publish Date: 2017-07-06
URL: CVE-2016-4000
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-4000
Release Date: 2017-07-06
Fix Resolution: 2.7.1rc1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - guava-22.0.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava/guava
Path to vulnerable library: /AndroShield/apkanalyzer/lib/guava-22.0.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/codec/
Path to vulnerable library: /AndroShield/apkanalyzer/lib/commons-codec-1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
Base64 encode() method is no longer thread-safe in Apache Commons Codec before version 1.7, which might disclose the wrong data or allow an attacker to change non-private fields.
Publish Date: 2010-02-26
URL: WS-2010-0001
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/CODEC-96
Release Date: 2017-01-31
Fix Resolution: 1.7
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - httpclient-4.2.6.jarHttpComponents Client
Path to vulnerable library: /AndroShield/apkanalyzer/lib/httpclient-4.2.6.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Publish Date: 2014-08-21
URL: CVE-2014-3577
CVSS 2 Score Details (5.8)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3577
Release Date: 2014-08-21
Fix Resolution: 4.3.5,4.0.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js,/droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jquery-3.2.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/jquery.min.js,/droidbot-master/droidbot/resources/stylesheets/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js,/droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js
Dependency Hierarchy:
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /droidbot-master/droidbot/resources/index.html
Path to vulnerable library: /droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js,/droidbot-master/droidbot/resources/stylesheets/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: a071e1bf2367fed4bc57256d6dead9c1822200c3
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-compress-1.12.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: http://commons.apache.org/proper/commons-compress/
Path to vulnerable library: /AndroShield/apkanalyzer/lib/commons-compress-1.12.jar
Dependency Hierarchy:
Found in HEAD commit: 91a5e948ef509a3798be349eb96acdf6dd3373d8
Vulnerability Details
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-03-16
URL: CVE-2018-1324
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324
Release Date: 2018-03-16
Fix Resolution: 1.16
Step up your Open Source Security Game with WhiteSource here
عند اضاف apk
ونقر على analyze
((APKInfoExtractor)Session["apkInfoExtraction"]).startExtraction()
يظهر لي null
مشكلة.docx
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.