20ful-demo's People
Contributors
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Watchers
20ful-demo's Issues
20ful-0.1.73.tgz: 6 vulnerabilities (highest severity is: 9.4)
Vulnerable Library - 20ful-0.1.73.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/markdown-it/package.json
Found in HEAD commit: 50487b5df27a0544c6f35de2d90b8f525bb6f15d
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (20ful version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2020-0341 |  Critical |
9.4 | front-matter-3.2.1.tgz | Transitive | 0.2.1 | ❌ |
| CVE-2021-21353 | Critical |
9.0 | pug-2.0.4.tgz | Transitive | 0.2.8 | ❌ |
| CVE-2023-31125 |  Medium |
6.5 | engine.io-6.4.1.tgz | Transitive | 0.2.0 | ❌ |
| CVE-2023-45857 | Medium |
6.5 | axios-0.21.4.tgz | Transitive | N/A* | ❌ |
| CVE-2023-2142 | Medium |
6.1 | nunjucks-3.2.3.tgz | Transitive | 0.2.0 | ❌ |
| CVE-2022-21670 | Medium |
5.3 | markdown-it-10.0.0.tgz | Transitive | 0.3.5 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2020-0341
Vulnerable Library - front-matter-3.2.1.tgz
Extract YAML front matter from a string
Library home page: https://registry.npmjs.org/front-matter/-/front-matter-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/front-matter/package.json
Dependency Hierarchy:
- 20ful-0.1.73.tgz (Root Library)
- ❌ front-matter-3.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 50487b5df27a0544c6f35de2d90b8f525bb6f15d
Found in base branch: master
Vulnerability Details
Arbitrary Code Execution vulnerability was found in front-matter before 4.0.1. Caused by the default usage of the function yaml.load().
Publish Date: 2020-05-13
URL: WS-2020-0341
CVSS 3 Score Details (9.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-05-13
Fix Resolution (front-matter): 4.0.1
Direct dependency fix Resolution (20ful): 0.2.1
Step up your Open Source Security Game with Mend here
CVE-2021-21353
Vulnerable Library - pug-2.0.4.tgz
A clean, whitespace-sensitive template language for writing HTML
Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pug/package.json
Dependency Hierarchy:
- 20ful-0.1.73.tgz (Root Library)
- ❌ pug-2.0.4.tgz (Vulnerable Library)
Found in HEAD commit: 50487b5df27a0544c6f35de2d90b8f525bb6f15d
Found in base branch: master
Vulnerability Details
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Publish Date: 2021-03-03
URL: CVE-2021-21353
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-p493-635q-r6gr
Release Date: 2021-03-03
Fix Resolution (pug): 3.0.0-canary-1
Direct dependency fix Resolution (20ful): 0.2.8
Step up your Open Source Security Game with Mend here
CVE-2023-31125
Vulnerable Library - engine.io-6.4.1.tgz
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-6.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
- 20ful-0.1.73.tgz (Root Library)
- browser-sync-2.29.1.tgz
- socket.io-4.6.1.tgz
- ❌ engine.io-6.4.1.tgz (Vulnerable Library)
- socket.io-4.6.1.tgz
- browser-sync-2.29.1.tgz
Found in HEAD commit: 50487b5df27a0544c6f35de2d90b8f525bb6f15d
Found in base branch: master
Vulnerability Details
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who use depending packages like socket.io. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.
Publish Date: 2023-05-08
URL: CVE-2023-31125
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-31125
Release Date: 2023-05-08
Fix Resolution (engine.io): 6.4.2
Direct dependency fix Resolution (20ful): 0.2.0
Step up your Open Source Security Game with Mend here
CVE-2023-45857
Vulnerable Library - axios-0.21.4.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
- 20ful-0.1.73.tgz (Root Library)
- browser-sync-2.29.1.tgz
- localtunnel-2.0.2.tgz
- ❌ axios-0.21.4.tgz (Vulnerable Library)
- localtunnel-2.0.2.tgz
- browser-sync-2.29.1.tgz
Found in HEAD commit: 50487b5df27a0544c6f35de2d90b8f525bb6f15d
Found in base branch: master
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution: axios - 1.6.0
Step up your Open Source Security Game with Mend here
CVE-2023-2142
Vulnerable Library - nunjucks-3.2.3.tgz
A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)
Library home page: https://registry.npmjs.org/nunjucks/-/nunjucks-3.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nunjucks/package.json
Dependency Hierarchy:
- 20ful-0.1.73.tgz (Root Library)
- ❌ nunjucks-3.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 50487b5df27a0544c6f35de2d90b8f525bb6f15d
Found in base branch: master
Vulnerability Details
Nunjucks is vulnerable to autoescape bypass that may lead to cross site scripting (XSS). It was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character. The issue was patched in version 3.2.4.
Publish Date: 2023-04-18
URL: CVE-2023-2142
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-x77j-w7wf-fjmw
Release Date: 2023-04-18
Fix Resolution (nunjucks): 3.2.4
Direct dependency fix Resolution (20ful): 0.2.0
Step up your Open Source Security Game with Mend here
CVE-2022-21670
Vulnerable Library - markdown-it-10.0.0.tgz
Markdown-it - modern pluggable markdown parser.
Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-10.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/markdown-it/package.json
Dependency Hierarchy:
- 20ful-0.1.73.tgz (Root Library)
- ❌ markdown-it-10.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 50487b5df27a0544c6f35de2d90b8f525bb6f15d
Found in base branch: master
Vulnerability Details
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.
Publish Date: 2022-01-10
URL: CVE-2022-21670
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-6vfc-qv3f-vr6c
Release Date: 2022-01-10
Fix Resolution (markdown-it): 12.3.2
Direct dependency fix Resolution (20ful): 0.3.5
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.