hammondjm / ksa Goto Github PK
View Code? Open in Web Editor NEWThis project forked from xsocket/ksa
杭州凯思爱物流管理系统
License: Apache License 2.0
This project forked from xsocket/ksa
杭州凯思爱物流管理系统
License: Apache License 2.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
uglifier incorrectly handles non-boolean comparisons during minification.The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process.
Publish Date: 2015-07-22
URL: WS-2015-0033
Base Score Metrics:
Type: Upgrade version
Origin: https://hakiri.io/technologies/uglifier/issues/279911d9720338
Release Date: 2020-06-07
Fix Resolution: Uglifier - 2.7.2;uglify-js - v2.4.24
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: ksa/ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: /ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.
Publish Date: 2015-08-24
URL: WS-2015-0024
Type: Upgrade version
Origin: mishoo/UglifyJS@905b601
Release Date: 2017-01-31
Fix Resolution: v2.4.24
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
The UnhandledDataStructure function in hwpf/model/UnhandledDataStructure.java in Apache POI 3.8 and earlier allows remote attackers to cause a denial of service (OutOfMemoryError exception and possibly JVM destabilization) via a crafted length value in a Channel Definition Format (CDF) or Compound File Binary Format (CFBF) document.
Publish Date: 2012-08-07
URL: CVE-2012-0213
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0213
Release Date: 2012-08-07
Fix Resolution: org.apache.poi:poi-scratchpad:3.9,org.apache.poi:poi:3.9
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-fileupload@5b4881d
Release Date: 2019-09-26
Fix Resolution: 1.4
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Publish Date: 2014-04-01
URL: CVE-2014-0050
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
Release Date: 2014-04-01
Fix Resolution: 1.3.2
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-07-31
URL: WS-2014-0005
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,canner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.
Publish Date: 2016-10-14
URL: WS-2016-7061
Base Score Metrics:
Type: Upgrade version
Origin: apache/poi@7f9f8e9
Release Date: 2019-09-26
Fix Resolution: 3.16-beta1
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: rails/jquery-rails@8f601cb
Release Date: 2020-05-19
Fix Resolution: jquery-rails - 2.2.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The "methodOverride" let the http post to override the method of the request with the value of the post key or with the header, which allows XSS attack.
Publish Date: 2013-06-27
URL: WS-2013-0004
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware
Publish Date: 2019-12-11
URL: CVE-2013-7370
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370
Release Date: 2013-07-01
Fix Resolution: 2.8.2
Spring Framework Parent
Path to dependency file: ksa/ksa-debug/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,canner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Publish Date: 2018-03-16
URL: CVE-2018-1199
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1199
Release Date: 2018-03-16
Fix Resolution: org.springframework.security:spring-security-web:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework.security:spring-security-config:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework:spring-core:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,4.3.14.RELEASE
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-01-09
Fix Resolution: 3.4.0
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution: 1.0.0
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
senchalabs/connect prior to 2.8.1 is vulnerable to xss attack
Publish Date: 2013-06-27
URL: WS-2013-0003
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.4.tgz
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
Type: Upgrade version
Origin: broofa/mime@1df903f
Release Date: 2019-04-03
Fix Resolution: 1.4.1,2.0.3
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3589
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589
Release Date: 2017-04-24
Fix Resolution: 5.1.42
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Publish Date: 2019-04-23
URL: CVE-2019-2692
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jcq3-cprp-m333
Release Date: 2019-04-23
Fix Resolution: mysql:mysql-connector-java:8.0.16
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
Publish Date: 2018-06-07
URL: CVE-2018-3717
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717
Release Date: 2018-06-07
Fix Resolution: 2.14.0
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2933
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
Release Date: 2020-04-15
Fix Resolution: mysql:mysql-connector-java:5.1.49
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publish Date: 2013-10-28
URL: CVE-2013-2186
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2186
Release Date: 2019-04-08
Fix Resolution: 1.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,canner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Publish Date: 2018-01-29
URL: CVE-2017-12626
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-01-29
Fix Resolution: org.apache.poi:poi-scratchpad:3.17,org.apache.poi:poi:3.17
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: ksa/ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Base Score Metrics:
Type: Upgrade version
Origin: victims/victims-cve-db@16a669c
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)
Publish Date: 2019-12-11
URL: CVE-2013-7371
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7371
Release Date: 2014-04-21
Fix Resolution: 2.8.2
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: /ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
Publish Date: 2015-10-24
URL: WS-2015-0017
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/48
Release Date: 2015-10-24
Fix Resolution: Update to version 2.6.0 or later
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution: 1.3.3
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/28
Release Date: 2014-08-06
Fix Resolution: Update to version 1.0.0 or later
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Publish Date: 2017-04-24
URL: CVE-2017-3523
Base Score Metrics:
Type: Upgrade version
Origin: https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Release Date: 2017-04-24
Fix Resolution: 5.1.41
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3586
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406
Release Date: 2017-04-24
Fix Resolution: 5.1.42
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M8,8.5.3,8.0.36,7.0.70,org.apache.tomcat:tomcat-coyote:9.0.0.M8,8.5.3,8.0.36,7.0.70,commons-fileupload:commons-fileupload:1.3.2
The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: ksa/ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
Publish Date: 2020-04-15
URL: CVE-2020-2875
Base Score Metrics:
Type: Upgrade version
Origin: mysql/mysql-connector-j@79a4336
Release Date: 2020-04-15
Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.15
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Spring Framework Parent
Path to dependency file: ksa/ksa-debug/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,canner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
Publish Date: 2015-02-19
URL: CVE-2014-3578
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578
Release Date: 2015-02-19
Fix Resolution: 3.2.9,4.0.5
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Publish Date: 2013-03-15
URL: CVE-2013-0248
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248
Release Date: 2013-03-15
Fix Resolution: 1.3
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.6.0
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.4.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution: 1.4.1,2.0.3
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.oracle.com/security-alerts/cpuapr2020.html
Release Date: 2020-04-15
Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.20
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,canner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
Publish Date: 2014-10-06
URL: CVE-2014-0074
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0074
Release Date: 2014-10-06
Fix Resolution: 1.2.3
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,canner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Publish Date: 2016-06-07
URL: CVE-2016-4437
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437
Release Date: 2016-06-07
Fix Resolution: org.apache.shiro:shiro-all:1.2.5,org.apache.shiro:shiro-core:1.2.5
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,canner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-08-17
URL: CVE-2020-13933
Base Score Metrics:
Type: Change files
Origin: apache/shiro@7935aa8
Release Date: 2020-05-04
Fix Resolution: Replace or update the following file: SecurityUtils.java
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.