View Code? Open in Web Editor
NEW
Sample web application demonstrating TIBCO Jaspersoft. Try it live at:
Home Page: https://www.jaspersoft.com/fresh-delivery
License: GNU Affero General Public License v3.0
HTML 8.49%
CSS 87.39%
JavaScript 3.86%
Shell 0.26%
js-fdsample's Issues
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js
Path to dependency file: JS-FDSample/newAdhocView.html
Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js
Dependency Hierarchy:
❌ bootstrap-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-20676 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js
Path to dependency file: JS-FDSample/newAdhocView.html
Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js
Dependency Hierarchy:
❌ bootstrap-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
CVE-2019-10746 - High Severity Vulnerability
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/mixin-deep/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (mixin-deep): 1.3.2
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
WS-2018-0590 - High Severity Vulnerability
Vulnerable Library - diff-1.0.8.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.0.8.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/diff/package.json
Dependency Hierarchy:
gulp-jsbeautifier-1.0.2.tgz (Root Library)
ansidiff-1.0.0.tgz
❌ diff-1.0.8.tgz (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 3 Score Details (7.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (gulp-jsbeautifier): 2.0.1
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.11.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js
Path to dependency file: /JS-FDSample/healthy-choices.html
Path to vulnerable library: /healthy-choices.html
Dependency Hierarchy:
❌ jquery-1.11.2.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
WS-2016-0090 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.11.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js
Path to dependency file: /JS-FDSample/healthy-choices.html
Path to vulnerable library: /JS-FDSample/healthy-choices.html
Dependency Hierarchy:
❌ jquery-1.11.2.min.js (Vulnerable Library)
Vulnerability Details
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
CVSS 2 Score Details (4.3 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.11.tgz , lodash-1.0.2.tgz
lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/gulp-jsbeautifier/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-jshint-2.1.0.tgz (Root Library)
❌ lodash-4.17.11.tgz (Vulnerable Library)
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2016-10540 - High Severity Vulnerability
Vulnerable Libraries - minimatch-2.0.10.tgz , minimatch-0.2.14.tgz
minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-stream-3.1.18.tgz
❌ minimatch-2.0.10.tgz (Vulnerable Library)
minimatch-0.2.14.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/globule/node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ minimatch-0.2.14.tgz (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540
Release Date: 2018-05-31
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js
Path to dependency file: JS-FDSample/newAdhocView.html
Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js
Dependency Hierarchy:
❌ bootstrap-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2019-10747 - High Severity Vulnerability
Vulnerable Libraries - set-value-2.0.0.tgz , set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.0.tgz (Vulnerable Library)
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
union-value-1.0.0.tgz
❌ set-value-0.4.3.tgz (Vulnerable Library)
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2019-10-29
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
CVE-2021-44906 - High Severity Vulnerability
Vulnerable Libraries - minimist-1.2.0.tgz , minimist-0.0.8.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
❌ minimist-1.2.0.tgz (Vulnerable Library)
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.11.tgz , lodash-1.0.2.tgz
lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/gulp-jsbeautifier/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-jshint-2.1.0.tgz (Root Library)
❌ lodash-4.17.11.tgz (Vulnerable Library)
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2022-37609 - High Severity Vulnerability
Vulnerable Library - js-beautify-1.10.0.tgz
beautifier.io for node
Library home page: https://registry.npmjs.org/js-beautify/-/js-beautify-1.10.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/js-beautify/package.json
Dependency Hierarchy:
gulp-jsbeautifier-1.0.2.tgz (Root Library)
❌ js-beautify-1.10.0.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js.
Publish Date: 2022-10-11
URL: CVE-2022-37609
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
CVE-2022-0144 - High Severity Vulnerability
Vulnerable Library - shelljs-0.3.0.tgz
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.3.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/shelljs/package.json
Dependency Hierarchy:
jshint-2.10.2.tgz (Root Library)
❌ shelljs-0.3.0.tgz (Vulnerable Library)
Vulnerability Details
shelljs is vulnerable to Improper Privilege Management
Publish Date: 2022-01-11
URL: CVE-2022-0144
CVSS 3 Score Details (7.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-11
Fix Resolution (shelljs): 0.8.5
Direct dependency fix Resolution (jshint): 2.13.4
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.11.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js
Path to dependency file: /JS-FDSample/healthy-choices.html
Path to vulnerable library: /healthy-choices.html
Dependency Hierarchy:
❌ jquery-1.11.2.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Libraries - set-value-2.0.0.tgz , set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.0.tgz (Vulnerable Library)
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
union-value-1.0.0.tgz
❌ set-value-0.4.3.tgz (Vulnerable Library)
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440
Release Date: 2021-09-12
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
CVE-2015-9251 - Low Severity Vulnerability
Vulnerable Library - jquery-1.11.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js
Path to dependency file: /JS-FDSample/healthy-choices.html
Path to vulnerable library: /healthy-choices.html
Dependency Hierarchy:
❌ jquery-1.11.2.min.js (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (3.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
CVE-2018-20677 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js
Path to dependency file: JS-FDSample/newAdhocView.html
Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js
Dependency Hierarchy:
❌ bootstrap-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js
Path to dependency file: JS-FDSample/newAdhocView.html
Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js
Dependency Hierarchy:
❌ bootstrap-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
resolve-1.11.0.tgz
❌ path-parse-1.0.6.tgz (Vulnerable Library)
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
Hello,
on point number 2 of the installation process, you point to a non-existing file (FRESHDELIVERY_PATH/JasperServerResources/freshDelivery-RepositoryExport.zip), I'm assuming you're referring to FRESHDELIVERY_PATH/JasperServerResources/FreshDelivery-Repository-Large.zip
Cheers,
Davide
WS-2019-0185 - High Severity Vulnerability
Vulnerable Library - lodash.merge-4.6.1.tgz
The Lodash method `_.merge` exported as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: JS-FDSample/node_modules/lodash.merge/package.json
Dependency Hierarchy:
gulp-jshint-2.1.0.tgz (Root Library)
rcloader-0.2.2.tgz
❌ lodash.merge-4.6.1.tgz (Vulnerable Library)
Vulnerability Details
lodash.merge before 4.6.2 is vulnerable to prototype pollution. The function merge() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2019-08-14
URL: WS-2019-0185
CVSS 2 Score Details (7.5 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1066
Release Date: 2019-08-14
Fix Resolution: 4.6.2
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Libraries - minimatch-3.0.4.tgz , minimatch-2.0.10.tgz , minimatch-0.2.14.tgz
minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/gulp-jshint/node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-jshint-2.1.0.tgz (Root Library)
❌ minimatch-3.0.4.tgz (Vulnerable Library)
minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-stream-3.1.18.tgz
❌ minimatch-2.0.10.tgz (Vulnerable Library)
minimatch-0.2.14.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/globule/node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ minimatch-0.2.14.tgz (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Libraries - minimist-1.2.0.tgz , minimist-0.0.8.tgz
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
❌ minimist-1.2.0.tgz (Vulnerable Library)
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 1.2.3
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2020-7788 - High Severity Vulnerability
Vulnerable Library - ini-1.3.5.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/ini/package.json
Dependency Hierarchy:
gulp-jsbeautifier-1.0.2.tgz (Root Library)
rc-1.2.8.tgz
❌ ini-1.3.5.tgz (Vulnerable Library)
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (gulp-jsbeautifier): 2.0.1
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /tmp/git/JS-FDSample/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
CVE-2019-10744 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.11.tgz , lodash.merge-4.6.1.tgz , lodash.template-3.6.2.tgz , lodash-1.0.2.tgz
lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/gulp-jsbeautifier/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-jshint-2.1.0.tgz (Root Library)
❌ lodash-4.17.11.tgz (Vulnerable Library)
lodash.merge-4.6.1.tgz
The Lodash method `_.merge` exported as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash.merge/package.json
Dependency Hierarchy:
gulp-jshint-2.1.0.tgz (Root Library)
rcloader-0.2.2.tgz
❌ lodash.merge-4.6.1.tgz (Vulnerable Library)
lodash.template-3.6.2.tgz
The modern build of lodash’s `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash.template/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
gulp-util-3.0.8.tgz
❌ lodash.template-3.6.2.tgz (Vulnerable Library)
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2019-20149 - High Severity Vulnerability
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/kind-of/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2020-08-24
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
CVE-2018-3721 - Medium Severity Vulnerability
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto , causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution (lodash): 4.17.5
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Libraries - set-value-2.0.0.tgz , set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.0.tgz (Vulnerable Library)
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
union-value-1.0.0.tgz
❌ set-value-0.4.3.tgz (Vulnerable Library)
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440
Release Date: 2021-09-12
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Libraries - set-value-2.0.0.tgz , set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.0.tgz (Vulnerable Library)
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
union-value-1.0.0.tgz
❌ set-value-0.4.3.tgz (Vulnerable Library)
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440
Release Date: 2021-09-12
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (gulp-load-plugins): 2.0.0
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Libraries - lodash-4.17.11.tgz , lodash-1.0.2.tgz
lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/gulp-jsbeautifier/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-jshint-2.1.0.tgz (Root Library)
❌ lodash-4.17.11.tgz (Vulnerable Library)
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2018-16487 - Medium Severity Vulnerability
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (gulp): 4.0.0
CVE-2016-10735 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.1/js/bootstrap.min.js
Path to dependency file: JS-FDSample/newAdhocView.html
Path to vulnerable library: JS-FDSample/js/vendor/bootstrap.min.js
Dependency Hierarchy:
❌ bootstrap-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041 .
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-01-09
Fix Resolution: 3.4.0
CVE-2015-9521 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.11.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js
Path to dependency file: /JS-FDSample/healthy-choices.html
Path to vulnerable library: /JS-FDSample/healthy-choices.html
Dependency Hierarchy:
❌ jquery-1.11.2.min.js (Vulnerable Library)
Vulnerability Details
The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Publish Date: 2019-10-23
URL: CVE-2015-9521
CVSS 2 Score Details (4.3 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-10-23
Fix Resolution: 2.2.0
WS-2019-0381 - Medium Severity Vulnerability
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /tmp/git/JS-FDSample/node_modules/kind-of/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
Vulnerability Details
Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.
Publish Date: 2020-03-18
URL: WS-2019-0381
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: jonschlinkert/kind-of@975c13a
Release Date: 2020-03-18
Fix Resolution: kind-of - 6.0.3
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.11.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js
Path to dependency file: /JS-FDSample/healthy-choices.html
Path to vulnerable library: /healthy-choices.html
Dependency Hierarchy:
❌ jquery-1.11.2.min.js (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
WS-2017-3737 - Medium Severity Vulnerability
Vulnerable Library - shelljs-0.3.0.tgz
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.3.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /tmp/git/JS-FDSample/node_modules/shelljs/package.json
Dependency Hierarchy:
jshint-2.10.2.tgz (Root Library)
❌ shelljs-0.3.0.tgz (Vulnerable Library)
Found in HEAD commit: a100ab54beb40876623fc66b8022541f7ad68d0d
Vulnerability Details
Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.
Publish Date: 2019-06-16
URL: WS-2017-3737
CVSS 2 Score Details (5.5 )
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here
CVE-2022-38900 - High Severity Vulnerability
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
gulp-load-plugins-1.6.0.tgz (Root Library)
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
source-map-resolve-0.5.2.tgz
❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Hello guys,
some days ago I noticed this issue marianol/FreshDeliveryDemo#6 on your previous repository, I suggest you fix the README file otherwise other people like me will become frustrated as well.
Cheers,
Davide
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /JS-FDSample/package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
❌ lodash-1.0.2.tgz (Vulnerable Library)
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
Release Date: 2019-07-17
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (gulp): 4.0.0