lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.
Path to dependency file: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Path to vulnerable library: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Dependency Hierarchy:
❌jquery-1.9.1.min.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Path to dependency file: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Path to vulnerable library: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Dependency Hierarchy:
❌jquery-1.9.1.min.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Path to dependency file: presto/presto-docs/requirements.txt
Path to vulnerable library: presto/presto-docs/requirements.txt
Dependency Hierarchy:
❌PyYAML-5.3.1.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
Path to dependency file: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Path to vulnerable library: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Dependency Hierarchy:
❌jquery-1.9.1.min.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Path to dependency file: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Path to vulnerable library: presto/presto-main/src/main/resources/webapp/src/node_modules/dagre-d3/dist/demo/hover.html
Dependency Hierarchy:
❌jquery-1.9.1.min.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.