tibcosoftware / js-fdsample Goto Github PK

Vulnerable Library - bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: JS-FDSample/newAdhocView.html

Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.1.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Vulnerable Library - bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: JS-FDSample/newAdhocView.html

Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.1.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/mixin-deep/package.json

Dependency Hierarchy:

• gulp-load-plugins-1.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Vulnerable Library - diff-1.0.8.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.0.8.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/diff/package.json

Dependency Hierarchy:

• gulp-jsbeautifier-1.0.2.tgz (Root Library)
  • ansidiff-1.0.0.tgz
    • ❌ diff-1.0.8.tgz (Vulnerable Library)

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (gulp-jsbeautifier): 2.0.1

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /JS-FDSample/healthy-choices.html

Path to vulnerable library: /healthy-choices.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /JS-FDSample/healthy-choices.html

Path to vulnerable library: /JS-FDSample/healthy-choices.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Libraries - minimatch-2.0.10.tgz, minimatch-0.2.14.tgz

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-05-31

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: JS-FDSample/newAdhocView.html

Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.1.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-29

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - js-beautify-1.10.0.tgz

beautifier.io for node

Library home page: https://registry.npmjs.org/js-beautify/-/js-beautify-1.10.0.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/js-beautify/package.json

Dependency Hierarchy:

• gulp-jsbeautifier-1.0.2.tgz (Root Library)
  • ❌ js-beautify-1.10.0.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js.

Publish Date: 2022-10-11

URL: CVE-2022-37609

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - shelljs-0.3.0.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.3.0.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/shelljs/package.json

Dependency Hierarchy:

• jshint-2.10.2.tgz (Root Library)
  • ❌ shelljs-0.3.0.tgz (Vulnerable Library)

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-11

Fix Resolution (shelljs): 0.8.5

Direct dependency fix Resolution (jshint): 2.13.4

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /JS-FDSample/healthy-choices.html

Path to vulnerable library: /healthy-choices.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerability Details

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440

Release Date: 2021-09-12

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /JS-FDSample/healthy-choices.html

Path to vulnerable library: /healthy-choices.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Library - bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: JS-FDSample/newAdhocView.html

Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.1.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Vulnerable Library - bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: JS-FDSample/newAdhocView.html

Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.1.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

• gulp-load-plugins-1.6.0.tgz (Root Library)
  • resolve-1.11.0.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Vulnerable Library - lodash.merge-4.6.1.tgz

The Lodash method `_.merge` exported as a module.

Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: JS-FDSample/node_modules/lodash.merge/package.json

Dependency Hierarchy:

• gulp-jshint-2.1.0.tgz (Root Library)
  • rcloader-0.2.2.tgz
    • ❌ lodash.merge-4.6.1.tgz (Vulnerable Library)

Vulnerability Details

lodash.merge before 4.6.2 is vulnerable to prototype pollution. The function merge() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0185

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1066

Release Date: 2019-08-14

Fix Resolution: 4.6.2

Vulnerable Libraries - minimatch-3.0.4.tgz, minimatch-2.0.10.tgz, minimatch-0.2.14.tgz

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/ini/package.json

Dependency Hierarchy:

• gulp-jsbeautifier-1.0.2.tgz (Root Library)
  • rc-1.2.8.tgz
    • ❌ ini-1.3.5.tgz (Vulnerable Library)

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (gulp-jsbeautifier): 2.0.1

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /tmp/git/JS-FDSample/node_modules/lodash/package.json

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/kind-of/package.json

Dependency Hierarchy:

• gulp-load-plugins-1.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerability Details

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440

Release Date: 2021-09-12

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Vulnerability Details

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440

Release Date: 2021-09-12

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (gulp-load-plugins): 2.0.0

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (gulp): 4.0.0

Vulnerable Library - bootstrap-3.3.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js

Path to dependency file: JS-FDSample/newAdhocView.html

Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.1.min.js (Vulnerable Library)

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#20184

Release Date: 2019-01-09

Fix Resolution: 3.4.0

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /JS-FDSample/healthy-choices.html

Path to vulnerable library: /JS-FDSample/healthy-choices.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Vulnerability Details

The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

Publish Date: 2019-10-23

URL: CVE-2015-9521

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-10-23

Fix Resolution: 2.2.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /tmp/git/JS-FDSample/node_modules/kind-of/package.json

Dependency Hierarchy:

• gulp-load-plugins-1.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Vulnerability Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Publish Date: 2020-03-18

URL: WS-2019-0381

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of@975c13a

Release Date: 2020-03-18

Fix Resolution: kind-of - 6.0.3

Vulnerable Library - jquery-1.11.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js

Path to dependency file: /JS-FDSample/healthy-choices.html

Path to vulnerable library: /healthy-choices.html

Dependency Hierarchy:

• ❌ jquery-1.11.2.min.js (Vulnerable Library)

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Vulnerable Library - shelljs-0.3.0.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.3.0.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /tmp/git/JS-FDSample/node_modules/shelljs/package.json

Dependency Hierarchy:

• jshint-2.10.2.tgz (Root Library)
  • ❌ shelljs-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d

Vulnerability Details

Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.

Publish Date: 2019-06-16

URL: WS-2017-3737

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• gulp-load-plugins-1.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • source-map-resolve-0.5.2.tgz
        • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /JS-FDSample/package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (gulp): 4.0.0