View Code? Open in Web Editor
NEW
This project forked from death-save /combat-utility-belt
Combat Utility Belt module for Foundry Virtual Tabletop
Home Page: https://patreon.com/deathsave
License: GNU General Public License v3.0
JavaScript 86.26%
CSS 3.26%
HTML 5.07%
Handlebars 5.41%
combat-utility-belt's People
Watchers
combat-utility-belt's Issues
CVE-2022-21670 - Medium Severity Vulnerability
Vulnerable Library - markdown-it-10.0.0.tgz
Markdown-it - modern pluggable markdown parser.
Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-10.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/markdown-it/package.json
Dependency Hierarchy:
jsdoc-to-markdown-6.0.1.tgz (Root Library)
jsdoc-api-6.0.0.tgz
jsdoc-3.6.7.tgz
❌ markdown-it-10.0.0.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
Publish Date: 2022-01-10
URL: CVE-2022-21670
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-6vfc-qv3f-vr6c
Release Date: 2022-01-10
Fix Resolution (markdown-it): 12.3.2
Direct dependency fix Resolution (jsdoc-to-markdown): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-21680 - High Severity Vulnerability
Vulnerable Libraries - marked-1.2.9.tgz , marked-2.1.3.tgz
marked-1.2.9.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
jsdoc-to-markdown-6.0.1.tgz (Root Library)
dmd-5.0.2.tgz
❌ marked-1.2.9.tgz (Vulnerable Library)
marked-2.1.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsdoc/node_modules/marked/package.json
Dependency Hierarchy:
jsdoc-to-markdown-6.0.1.tgz (Root Library)
jsdoc-api-6.0.0.tgz
jsdoc-3.6.7.tgz
❌ marked-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def
may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (jsdoc-to-markdown): 7.0.0
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (jsdoc-to-markdown): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2024-4067 - Medium Severity Vulnerability
Vulnerable Library - micromatch-3.1.10.tgz
Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
glob-watcher-5.0.5.tgz
anymatch-2.0.0.tgz
❌ micromatch-3.1.10.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2024-27088 - Low Severity Vulnerability
Vulnerable Library - es5-ext-0.10.53.tgz
ECMAScript extensions and shims
Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.53.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/es5-ext/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
undertaker-1.3.0.tgz
es6-weak-map-2.0.3.tgz
❌ es5-ext-0.10.53.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy
or function#toStringTokens
may cause the script to stall. The vulnerability is patched in v0.10.63.
Publish Date: 2024-02-26
URL: CVE-2024-27088
CVSS 3 Score Details (0.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088
Release Date: 2024-02-26
Fix Resolution: es5-ext - 0.10.63
Step up your Open Source Security Game with Mend here
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
vinyl-fs-3.0.3.tgz
glob-stream-6.1.0.tgz
glob-7.2.0.tgz
❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2021-44906 - Critical Severity Vulnerability
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
jsdoc-to-markdown-6.0.1.tgz (Root Library)
dmd-5.0.2.tgz
handlebars-4.7.7.tgz
❌ minimist-1.2.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (jsdoc-to-markdown): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-25883 - High Severity Vulnerability
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
gulp-cli-2.3.0.tgz
yargs-7.1.2.tgz
read-pkg-up-1.0.1.tgz
read-pkg-1.1.0.tgz
normalize-package-data-2.5.0.tgz
❌ semver-5.7.1.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Step up your Open Source Security Game with Mend here
CVE-2021-21306 - High Severity Vulnerability
Vulnerable Library - marked-1.2.9.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
jsdoc-to-markdown-6.0.1.tgz (Root Library)
dmd-5.0.2.tgz
❌ marked-1.2.9.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.
Publish Date: 2021-02-08
URL: CVE-2021-21306
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-4r62-v4vq-hr96
Release Date: 2021-02-08
Fix Resolution (marked): 2.0.0
Direct dependency fix Resolution (jsdoc-to-markdown): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2024-4068 - High Severity Vulnerability
Vulnerable Library - braces-2.3.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
glob-watcher-5.0.5.tgz
chokidar-2.1.8.tgz
❌ braces-2.3.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The NPM package braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
vinyl-fs-3.0.3.tgz
glob-stream-6.1.0.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
vinyl-fs-3.0.3.tgz
glob-stream-6.1.0.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with Mend here
CVE-2022-21681 - High Severity Vulnerability
Vulnerable Libraries - marked-1.2.9.tgz , marked-2.1.3.tgz
marked-1.2.9.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
jsdoc-to-markdown-6.0.1.tgz (Root Library)
dmd-5.0.2.tgz
❌ marked-1.2.9.tgz (Vulnerable Library)
marked-2.1.3.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsdoc/node_modules/marked/package.json
Dependency Hierarchy:
jsdoc-to-markdown-6.0.1.tgz (Root Library)
jsdoc-api-6.0.0.tgz
jsdoc-3.6.7.tgz
❌ marked-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch
may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (jsdoc-to-markdown): 7.0.0
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (jsdoc-to-markdown): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Library - set-value-2.0.1.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
glob-watcher-5.0.5.tgz
chokidar-2.1.8.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.1.tgz (Vulnerable Library)
Found in HEAD commit: b62dc5904e187f6d95d8e4154717e45bba8207c6
Found in base branch: master
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440 .
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-12
Fix Resolution: set-value - 4.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-38900 - High Severity Vulnerability
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
gulp-4.0.2.tgz (Root Library)
glob-watcher-5.0.5.tgz
chokidar-2.1.8.tgz
braces-2.3.2.tgz
snapdragon-0.8.2.tgz
source-map-resolve-0.5.3.tgz
❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution: decode-uri-component - 0.2.1
Step up your Open Source Security Game with Mend here