monizb / fireshort Goto Github PK

Right now the app downloads about 300kb of data just to redirect to the link which reduces the speed of the app and hinders User's experience.So it would be a very good idea to implement Code Splitting using Lazy() to remove slow load times and make it nearly negligible.

Resources:

1. https://reactjs.org/docs/code-splitting.html
2. https://web.dev/code-splitting-suspense/

Hello there,
I can add a welcome bot config file having a proper message that will show up when any user will open up an issue or pull-request for the first time as a part of DWOC. Please assign me this issue.
For reference, kindly check out: https://github.com/apps/welcome

THANK YOU

CVE-2020-7768 - High Severity Vulnerability

Vulnerable Library - grpc-js-1.1.7.tgz

gRPC Library for Node - pure JS implementation

Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@grpc/grpc-js/package.json

Dependency Hierarchy:

• firebase-7.22.0.tgz (Root Library)
  • firestore-1.17.2.tgz
    • ❌ grpc-js-1.1.7.tgz (Vulnerable Library)

Found in HEAD commit: 01d2522e4209e107bda54c059ee7caae1a2713dc

Found in base branch: master

Vulnerability Details

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Publish Date: 2020-11-11

URL: CVE-2020-7768

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Release Date: 2020-11-11

Fix Resolution (@grpc/grpc-js): 1.1.8

Direct dependency fix Resolution (firebase): 7.22.1-202095155838

Step up your Open Source Security Game with Mend here

Add a new feature in each card/list where the user can check/uncheck the option to protect their link with a password, When this is enabled a password field should be presented to enter the password before redirecting to the destination link. It should track user information only if the password matches.

The firebase was imported in the wrong formation Home.js

This will basically help first timers when someone makes a pr, or raise an issue or want to contribute to ur repo

Describe the bug
When any user tries to open the short url, the password gets logged into the console.

To Reproduce
Steps to reproduce the behavior:

1. Open the short url in a browser.
2. Open Console of the browser.
3. If the link was password protected, the password get logged into the console.

Expected behavior
Should not be logged.

Describe the bug
Clicking Hits does nothing in list view.

Expected behavior
Clicking Hits should open dialog that shows tracking of the curl.

Describe the bug
When the short URL is accessed and the Fireshort Loader is presented, it disappears for a few seconds before redirecting to thr destination link

To Reproduce
Steps to reproduce the behavior:

1. Go to the shortened URL
2. Wait for a second
3. Issue Occurs

Expected behavior
Show the Loader until the page is redirected

Screenshots
If applicable, add screenshots to help explain your problem.

This issue has occurred after #46 was merged, @harshvats2000 please take a look at this if you are interested :)

CVE-2020-7789 - Medium Severity Vulnerability

Vulnerable Library - node-notifier-5.4.3.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-notifier/package.json

Dependency Hierarchy:

• react-scripts-3.4.3.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • ❌ node-notifier-5.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 01d2522e4209e107bda54c059ee7caae1a2713dc

Found in base branch: master

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution (node-notifier): 5.4.4

Direct dependency fix Resolution (react-scripts): 3.4.4

Step up your Open Source Security Game with Mend here

After each link is created, right now it only creates a corresponding card related to it. Instead of this, it should show a Dialog with the created link, a button to copy the link, different ways to share the URL and a button to generate a QR code and share it as a jpg

Is your feature request related to a problem? Please describe.
Right now if you have to search for your created links, you have to manually search them.

Describe the solution you'd like
Add a good looking search bar on top which should filter the cards as the user types into them giving them only the results they want, also please add a cross mark to clear the query and return all the cards back

Describe the bug
I keep getting a sign up error when I attempt to create an account on the sign up page

To Reproduce
Steps to reproduce the behavior:

1. Go to 'sign up page' or click on sign up on login page.
2. Fill form.
3. Click on sign up button.
4. See error (An unknown error occurred while signing up.) above the sign up button.
5. Error auth.js:204 POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/signupNewUser?key=[API_KEY] 400 also appears in the console

Expected behavior
A clear and concise description of what you expected to happen.

Desktop

• OS: Windows
• Browser: Chrome
• Version 85.0.4183.121

Describe the bug
In List view, if admin clicks on "Open", link is opened through short link redirect, which also logs the tracking detail as well. But in Card view, it directly opens it without any tracking logs.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'List View'
2. Click on 'Open' for a link which is being tracked.
3. See the hits count incremented.
4. Do the same in 'Card View'
5. Hits count remain the same.

Expected behavior
Both views should have the same behaviour.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Describe the bug
In card layout, the whole feature of password-protection is not implemented.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Card Layout'.
2. See there is no lock/unlock icon for any link
3. Click 'Open' for any password-protected link.
4. Link opens up without prompting for password.

Expected behavior
Lock/Unlock icon should be shown and Password should be prompted for password-protected links in Card View.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

To comply fully with Github's community standards a well documented CONTRBUTING.md file is required to help first time contributors to contribute to this repository. You can use this guide here to write a good one

Feel free to start the discussion below and suggest what you would like to take up. The smallest of the contribution will be accepted and will count for one entry to your Hacktoberfest Progress

The app takes a minimum of 5 seconds to capture the User's IP Address When Redirecting to the destination link which is not at all ideal, It will be great if you can reduce this time drastically by using an alternative npm package or a free api. Right now it uses public-api package from NPM

Let me know if this needs to be implemented

The initial version of Fireshort has an API which was developed by @JithinAntony4 in #67 which has not been merged yet to master due to the change in DB configurations and rules which were made to allow Fireshort to work as a stand alone application like many famous link shorteners out there. This issue addresses the following points:

1. Modifying the API to honour the most recent changes in the DB Rules. You can find the lates rules here

2. Adding a method to change the API Key generation: Right now in the linked PR the application creates a key if it doesn't exist yet. Instead the API should now properly only serve the data belonging to that particular user and create and store the API Key until the user decides to regenerate these keys again.

This issue can be further broken down into 2 individual issues based on the demand for it :)

Describe the bug
After an url is created, the password modal is in plain text while adding a password to an already created url.

To Reproduce
Steps to reproduce the behavior:

1. Create an url
2. Click on the lock symbol
3. The text field for adding new password should be in plain text

Expected behavior
The field should be a password field

Screenshots

CVE-2020-15256 - High Severity Vulnerability

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

• react-scripts-3.4.3.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 117c3d679afe737a69f8394c186c453fddc9cd28

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (react-scripts): 3.4.4

Step up your Open Source Security Game with Mend here

Revamp the design for the entire dashboard and make everything look pixel perfect and more clean. Requires basic knowledge of React and CSS.

@abhinavkrin that's not a problem, I'll keep the PR open so you can push all your commits and have one review and testing once you are ready. Thanks!

Hey @monizb, As I was working with the admin panel. I found out that the way the password is checked is insecure. The document has read access set to "public". And hence the password is exposed to the public. Also, once a password is set I could not find a way to remove the password.

Please look into the matter.
A solution would be to set a flag called "isProtected" set to true and storing the passwords in another collection.

Originally posted by @abhinavkrin in #79 (comment)

Describe the bug
Currently the search box for the links only works in the Card View where the cards are filtered out based on the input

To Reproduce
Steps to reproduce the behavior:

1. Go to Dashboard
2. Click on Search Box
3. Click On List View
4. List doesn't get filtered

Expected behavior
List should be filtered to give out matching results

Right now the app tracks IPV4 address, IPV6 address and User-Agent. Add more tracking options like Country,date filters,Referrers etc. :)

Describe the bug
If a link is opened through Card layout, the link is directly opened instead of getting redirected from short url.

To Reproduce
Steps to reproduce the behavior:

1. Go to Card View
2. Click on 'Open' for any link there
3. See that the long url is directly opened in new tab.

Expected behavior
Associated short url should be opened first which should redirect itself to long url as happening in List View.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

As mentioned in #145 the login screen is not at all Dynamic right now and does not add to a good UI. The following changes are required:

1. Revamping the entire signup/login form with the colour scheme to present a much better looking page
2. Make the login form responsive and auto-fit across all screen size to prevent hinderance.

Please do comment here before being assigned the issue :)

Feel free to work on the signup part where multiple users can register and have their own separate Admin panels rather than having one main Admin Panel.

Tasks:

1. Add Signup Feature
2. Change DB Structure to store data by UID for better security

To implement these you need to know Firestore Database and React.

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• react-scripts-3.4.3.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • yargs-13.3.2.tgz
      • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 01d2522e4209e107bda54c059ee7caae1a2713dc

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (react-scripts): 3.4.4

Step up your Open Source Security Game with Mend here

Revamp Login UI to address changes and add animations

CVE-2020-7793 - High Severity Vulnerability

Vulnerable Library - ua-parser-js-0.7.22.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.22.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

• ❌ ua-parser-js-0.7.22.tgz (Vulnerable Library)

Found in HEAD commit: 01d2522e4209e107bda54c059ee7caae1a2713dc

Found in base branch: master

Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: 2020-12-11

URL: CVE-2020-7793

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution: 0.7.23

Step up your Open Source Security Game with Mend here

Right now links can be protected only after creating them by clicking on the lock icon. It would be better If it could be added while creating the link itself under the activity tracking switch and if left blank it should not protect the link.

Developing API is important to get connect with other apps easily and securely.

Build minimal API for creating different links using an API key scheme (User)

Describe the bug
We are able to create the short links with spaces in it, but if we create that kind of short link and try to go to the link we shortened we get a console error

To Reproduce
Steps to reproduce the behavior:

1. Click on the button to create new short link
2. As the name of the link (in Custom URL) we put text with at least one space (for example test space
3. Click on button shorten
4. Click on the eye icon (on the list type view) to go to the custom URL
5. The loader is constantly visible, the page doesn't redirect and in console we get an error

Expected behavior
When creating the Custom URL, I'm not able to put any spaces

Screenshots

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Right now the App has no Front Page/ Home Page before the users login, it would be awesome to have a beautiful front page with illustrations, features and animations.Very good Feature Issue For contributors who love front end designing :)

Please feel free to use this issue to discuss about any of the issues, to suggest new feature/bug issues. Issues will be assgned on a first come basis. All the best!

CVE-2021-24033 - Medium Severity Vulnerability

Vulnerable Library - react-dev-utils-10.2.1.tgz

webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-10.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/react-dev-utils/package.json

Dependency Hierarchy:

• react-scripts-3.4.3.tgz (Root Library)
  • ❌ react-dev-utils-10.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Publish Date: 2021-03-09

URL: CVE-2021-24033

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.facebook.com/security/advisories/cve-2021-24033

Release Date: 2021-03-09

Fix Resolution (react-dev-utils): 11.0.4

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

The users if wanted can set an end date and time for their links so that the link automatically expires and does not let the user redirect to the destination link. The only logic needed here is that if(current timestamp < end date timestamp) -> redirect else don't and show appropriate errors accordingly

Is your feature request related to a problem? Please describe.
Right now the created links are deleted as soon as "Delete" is clicked, this is not ideal

Describe the solution you'd like
Add a confirmation dialog which first asks the user if they want to delete the link or not

Describe the bug
A clear and concise description of what the bug is.
when the site is accessed from an iphone, the login page is narrowed and parts are cut off
To Reproduce
Steps to reproduce the behavior:

1. when you start the local server visit on your phone using the ip address (e.g http://192.168.1.50:3000)
   Expected behavior
   A clear and concise description of what you expected to happen.

Screenshots

Smartphone (please complete the following information):

• Device: [e.g. iPhone 11]
• OS: [e.g. iOS 14.0.1]
• Browser [e.g. chrome]

Additional context
mobile experience is important to most.

Right now card view has a lot of features which list view doesn't, all you need to do is copy those features to list view and make the UI look better than it is right now.

I'm opening this issue to start developing the Analytics page as mentioned in the README of this project.

The page is already under development, and I'm using this issue to ask some questions

Here are some ideas I have in mind:

• A visualization of the total of clicks of a link
• A visualization of the total of clicks today
• Avarage of clicks per day
• A graph showing clicks p/ day

Any other ideas?

Here are a quick view of what I've already done

Is your feature request related to a problem? Please describe.
Right now when there are no links present on first login of the user, the page remains blank without any message being shown

Describe the solution you'd like
Add a message saying no links present with a good matching illustration indicating it and a swirly arrow pointing towards the add button on the bottom right

Additional context

Revamp the entire Login Page to look much better and make it more intuitive, The only requirement is you need to know basic React and CSS.

CVE-2020-15168 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: FireShort/package.json

Path to vulnerable library: FireShort/node_modules/isomorphic-fetch/node_modules/node-fetch/package.json

Dependency Hierarchy:

• firebase-7.21.1.tgz (Root Library)
  • functions-0.4.51.tgz
    • isomorphic-fetch-2.2.1.tgz
      • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: 45013b4b5e1034a16c202c95b757387ea0d1ba21

Found in base branch: master

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-07-21

Fix Resolution: 2.6.1,3.0.0-beta.9

Step up your Open Source Security Game with WhiteSource here

Is your feature request related to a problem? Please describe.
I see there's a login screen, but no signup page. How does a user sign ups to this platform?

Describe the solution you'd like
I'd like to create a signup page and persist user data on localStorage on both login and signup.

Describe alternatives you've considered

Additional context

Describe the solution you'd like
Get a popup window like the one used for edit link but with dropdown calendar and time selection for the expiration date and time of the link.

CVE-2020-7765 - Medium Severity Vulnerability

Vulnerable Library - util-0.3.2.tgz

_NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package_

Library home page: https://registry.npmjs.org/@firebase/util/-/util-0.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@firebase/util/package.json

Dependency Hierarchy:

• firebase-7.22.0.tgz (Root Library)
  • ❌ util-0.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 01d2522e4209e107bda54c059ee7caae1a2713dc

Found in base branch: master

Vulnerability Details

This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Publish Date: 2020-11-16

URL: CVE-2020-7765

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7765

Release Date: 2020-11-16

Fix Resolution (@firebase/util): 0.3.3-2020922203858

Direct dependency fix Resolution (firebase): 7.22.1-canary.0e308b623

Step up your Open Source Security Game with Mend here