Vulnerable Libraries - postcss-6.0.23.tgz, postcss-7.0.35.tgz

Found in HEAD commit: f76eb45f05fc57f4d5bec69ba3676f8e8599072d

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-5.0.0.tgz

Found in HEAD commit: 791ab6f4f26321203d0ec54e7ab2a311ee8a55de

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Vulnerable Library - phpseclib/phpseclib-2.0.10

PHP Secure Communications Library

Dependency Hierarchy:

• google/apiclient-v2.2.1 (Root Library)
  • ❌ phpseclib/phpseclib-2.0.10 (Vulnerable Library)

Found in HEAD commit: f76eb45f05fc57f4d5bec69ba3676f8e8599072d

Found in base branch: master

Vulnerability Details

phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

Publish Date: 2021-04-06

URL: CVE-2021-30130

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30130

Release Date: 2021-04-06

Fix Resolution: 2.0.31, 3.0.7

Vulnerable Library - tinymce-4.6.5.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.6.5/tinymce.min.js

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/Divi/includes/builder/frontend-builder/assets/vendors/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.6.5.min.js (Vulnerable Library)

Found in HEAD commit: 71aa041ac41d7e5c1657a2d660e0f48c6fc21e2f

Found in base branch: master

Vulnerability Details

A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.

Publish Date: 2020-08-14

URL: CVE-2020-12648

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12648

Release Date: 2020-07-21

Fix Resolution: 4.9.11,5.4.1

Vulnerable Library - jquery-3.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/path-parse/package.json

Dependency Hierarchy:

• eslint-plugin-9.0.6.tgz (Root Library)
  • babel-eslint-10.1.0.tgz
    • resolve-1.19.0.tgz
      • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: c72f51dc0842d9bbf6ebb749b3217b005da6b45c

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Vulnerable Libraries - guzzlehttp/guzzle-6.3.3, guzzlehttp/guzzle-6.3.0

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Publish Date: 2022-05-25

URL: CVE-2022-29248

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248

Release Date: 2022-05-25

Fix Resolution: guzzlehttp/guzzle - 6.5.6,guzzlehttp/guzzle - 7.4.3

Vulnerable Libraries - guzzlehttp/guzzle-6.3.3, guzzlehttp/guzzle-6.3.0

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

Guzzle, an extensible PHP HTTP client. Authorization and Cookie headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

Publish Date: 2022-06-27

URL: CVE-2022-31091

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091

Release Date: 2022-06-27

Fix Resolution: 6.5.8,7.4.5

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/path-parse/package.json

Dependency Hierarchy:

• eslint-plugin-8.0.1.tgz (Root Library)
  • babel-eslint-10.1.0.tgz
    • resolve-1.19.0.tgz
      • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: f76eb45f05fc57f4d5bec69ba3676f8e8599072d

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Vulnerable Library - Chart-1.0.2.min.js

Simple HTML5 charts using the canvas element.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/Chart.js/1.0.2/Chart.min.js

Path to vulnerable library: /wp-content/themes/Divi/includes/builder/scripts/ext/chart.min.js

Dependency Hierarchy:

• ❌ Chart-1.0.2.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

Publish Date: 2020-10-29

URL: CVE-2020-7746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7746

Release Date: 2020-10-29

Fix Resolution: chart.js - 2.9.4

Vulnerable Libraries - javascript-5.18.0.js, codemirror-5.18.2.js

Found in HEAD commit: 71aa041ac41d7e5c1657a2d660e0f48c6fc21e2f

Found in base branch: master

Vulnerability Details

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

Publish Date: 2020-10-30

URL: CVE-2020-7760

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7760

Release Date: 2020-07-21

Fix Resolution: codemirror - 5.58.2

Vulnerable Library - sabberworm/php-css-parser-8.1.0

A Parser for CSS Files written in PHP. Allows extraction of CSS files into a data structure, manipulation of said structure and output as (optimized) CSS

Dependency Hierarchy:

• dompdf/dompdf-v0.8.3 (Root Library)
  • phenx/php-svg-lib-v0.3.2
    • ❌ sabberworm/php-css-parser-8.1.0 (Vulnerable Library)

Found in HEAD commit: f0bccabe236973e3c6d0f68063dabd3ea99e1449

Found in base branch: master

Vulnerability Details

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

Publish Date: 2020-06-03

URL: CVE-2020-13756

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13756

Release Date: 2020-06-03

Fix Resolution: 8.3.1

Vulnerable Library - firebase/php-jwt-v5.0.0

A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.

Library home page: https://api.github.com/repos/firebase/php-jwt/zipball/9984a4d3a32ae7673d6971ea00bae9d0a1abba0e

Dependency Hierarchy:

• google/apiclient-v2.2.1 (Root Library)
  • ❌ firebase/php-jwt-v5.0.0 (Vulnerable Library)

Found in HEAD commit: b5d1663104befcba587f62224d1b86d2e9c8e2dd

Found in base branch: master

Vulnerability Details

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in OC.Notification.show.

Publish Date: 2021-03-03

URL: CVE-2021-22878

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nextcloud.com/security/advisory/?id=NC-SA-2021-005

Release Date: 2021-03-03

Fix Resolution: v20.0.6

Vulnerable Library - jquery.validate-1.13.1.min.js

Client-side form validation made easy

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.13.1/jquery.validate.min.js

Path to vulnerable library: /wp-content/plugins/post-smtp/script/jquery-validate/jquery.validate.min.js

Dependency Hierarchy:

• ❌ jquery.validate-1.13.1.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.

Publish Date: 2021-01-13

URL: CVE-2021-21252

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jxwx-85vp-gvwm

Release Date: 2021-01-13

Fix Resolution: jquery-validation - 1.19.3

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Vulnerable Library - postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-scss/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/stylelint/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-less/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-safe-parser/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-sass/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/sugarss/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-focus-within/node_modules/postcss/package.json

Dependency Hierarchy:

• postcss-focus-within-4.0.0.tgz (Root Library)
  • ❌ postcss-7.0.35.tgz (Vulnerable Library)

Found in HEAD commit: c72f51dc0842d9bbf6ebb749b3217b005da6b45c

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Vulnerable Library - guzzlehttp/psr7-1.4.2

PSR-7 message implementation that also provides common utility methods

Library home page: https://api.github.com/repos/guzzle/psr7/zipball/f5b8a8512e2b58b0071a7280e39f14f72e05d87c

Dependency Hierarchy:

• ❌ guzzlehttp/psr7-1.4.2 (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

Publish Date: 2022-03-21

URL: CVE-2022-24775

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q7rv-6hp3-vh96

Release Date: 2022-03-21

Fix Resolution: 1.8.4,2.1.1

Vulnerable Library - browserslist-4.14.7.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.7.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/browserslist/package.json

Dependency Hierarchy:

• autoprefixer-9.8.6.tgz (Root Library)
  • ❌ browserslist-4.14.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Vulnerable Library - postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-scss/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/stylelint/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-less/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-safe-parser/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-sass/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/sugarss/node_modules/postcss/package.json,shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss-focus-within/node_modules/postcss/package.json

Dependency Hierarchy:

• postcss-focus-within-4.0.0.tgz (Root Library)
  • ❌ postcss-7.0.35.tgz (Vulnerable Library)

Found in HEAD commit: c72f51dc0842d9bbf6ebb749b3217b005da6b45c

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution: postcss -8.2.10

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-7.18.0.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: c72f51dc0842d9bbf6ebb749b3217b005da6b45c

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - certifi-2022.6.15-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/e9/06/d3d367b7af6305b16f0d28ae2aaeb86154fa91f144f036c2d5002a5a202b/certifi-2022.6.15-py3-none-any.whl

Path to dependency file: /wp-content/plugins/google-site-kit/third-party/guzzlehttp/ringphp/docs/requirements.txt

Path to vulnerable library: /wp-content/plugins/google-site-kit/third-party/guzzlehttp/ringphp/docs/requirements.txt

Dependency Hierarchy:

• sphinx_rtd_theme-1.0.0-py2.py3-none-any.whl (Root Library)
  • Sphinx-5.1.1-py3-none-any.whl
    • requests-2.28.1-py3-none-any.whl
      • ❌ certifi-2022.6.15-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• npm-run-all-4.1.5.tgz (Root Library)
  • read-pkg-3.0.0.tgz
    • normalize-package-data-2.5.0.tgz
      • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: f76eb45f05fc57f4d5bec69ba3676f8e8599072d

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/npm/hosted-git-info/releases/tag/v3.0.8

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 3.0.8

Vulnerable Library - jquery-ui-1.11.0.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.0/jquery-ui.min.js

Path to dependency file: shop.grindmodecypher.com/wp-content/plugins/wp-file-manager/lib/codemirror/mode/slim/index.html

Path to vulnerable library: shop.grindmodecypher.com/wp-content/plugins/wp-file-manager/lib/codemirror/mode/slim/index.html

Dependency Hierarchy:

• ❌ jquery-ui-1.11.0.min.js (Vulnerable Library)

Found in HEAD commit: f0bccabe236973e3c6d0f68063dabd3ea99e1449

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7103

Release Date: 2017-03-15

Fix Resolution: 1.12.0

Vulnerable Libraries - guzzlehttp/guzzle-6.3.3, guzzlehttp/guzzle-6.3.0

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

Guzzle, an extensible PHP HTTP client. Authorization headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the CURLOPT_HTTPAUTH option to specify an Authorization header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the CURLOPT_HTTPAUTH option before continuing, stopping curl from appending the Authorization header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

Publish Date: 2022-06-27

URL: CVE-2022-31090

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-25mq-v84q-4j7r

Release Date: 2022-05-19

Fix Resolution: 6.5.8,7.4.5

Vulnerable Library - tinymce-4.9.11.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.11/tinymce.min.js

Path to vulnerable library: /wp-content/themes/Divi/includes/builder/frontend-builder/assets/vendors/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.11.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

A cross-site scripting (XSS) vulnerability was discovered in the URL processing logic of the image and link plugins. The vulnerability allowed arbitrary JavaScript execution when updating an image or link using a specially crafted URL. This issue only impacted users while editing and the dangerous URLs were stripped in any content extracted from the editor. This impacts all users who are using TinyMCE 5.9.2 or lower.

Publish Date: 2021-11-02

URL: WS-2021-0413

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r8hm-w5f7-wj39

Release Date: 2021-11-02

Fix Resolution: TinyMCE - 5.10.0, tinymce/tinymce - 5.10.0, TinyMCE - 5.10.0

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/glob-parent/package.json

Dependency Hierarchy:

• eslint-7.18.0.tgz (Root Library)
  • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 2c0aa98e22331ca8beb0c1f31a60ac1f7976a796

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/glob-parent/package.json

Dependency Hierarchy:

• eslint-7.18.0.tgz (Root Library)
  • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 2c0aa98e22331ca8beb0c1f31a60ac1f7976a796

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Vulnerable Library - tinymce-4.9.11.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.11/tinymce.min.js

Path to vulnerable library: /wp-content/themes/Divi/includes/builder/frontend-builder/assets/vendors/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.11.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

Cross-site scripting vulnerability was found in TinyMCE before 5.7.1. A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor.

Publish Date: 2021-05-28

URL: WS-2021-0133

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5vm8-hhgr-jcjp

Release Date: 2021-05-28

Fix Resolution: tinymce - 5.7.1

Vulnerable Library - tinymce-4.9.11.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.11/tinymce.min.js

Path to vulnerable library: /wp-content/themes/Divi/includes/builder/frontend-builder/assets/vendors/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.11.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser of TinyMCE. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower.
The issue has been fixed in TinyMCE 5.6.0.

Publish Date: 2021-02-19

URL: WS-2021-0025

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7jx-j77m-wp65

Release Date: 2021-02-19

Fix Resolution: tinymce - 5.6.0

Vulnerable Library - tinymce-4.9.11.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.11/tinymce.min.js

Path to vulnerable library: /wp-content/themes/Divi/includes/builder/frontend-builder/assets/vendors/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.11.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.
This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Publish Date: 2021-01-05

URL: WS-2021-0001

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h96f-fc7c-9r55

Release Date: 2021-01-05

Fix Resolution: tinymce - 5.6.0

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Vulnerable Library - firebase/php-jwt-v5.0.0

A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.

Library home page: https://api.github.com/repos/firebase/php-jwt/zipball/9984a4d3a32ae7673d6971ea00bae9d0a1abba0e

Dependency Hierarchy:

• google/apiclient-v2.2.1 (Root Library)
  • ❌ firebase/php-jwt-v5.0.0 (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.

Publish Date: 2022-03-29

URL: CVE-2021-46743

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46743

Release Date: 2022-03-29

Fix Resolution: v6.0.0

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• npm-run-all-4.1.5.tgz (Root Library)
  • read-pkg-3.0.0.tgz
    • normalize-package-data-2.5.0.tgz
      • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: c72f51dc0842d9bbf6ebb749b3217b005da6b45c

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

Vulnerable Library - postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/postcss/package.json

Dependency Hierarchy:

• autoprefixer-9.8.6.tgz (Root Library)
  • ❌ postcss-7.0.35.tgz (Vulnerable Library)

Found in HEAD commit: f76eb45f05fc57f4d5bec69ba3676f8e8599072d

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution: postcss -8.2.10

Vulnerable Library - phpseclib/phpseclib-2.0.10

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

Library home page: https://api.github.com/repos/phpseclib/phpseclib/zipball/d305b780829ea4252ed9400b3f5937c2c99b51d4

Dependency Hierarchy:

• google/apiclient-v2.2.1 (Root Library)
  • ❌ phpseclib/phpseclib-2.0.10 (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

Publish Date: 2021-04-06

URL: CVE-2021-30130

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30130

Release Date: 2021-04-06

Fix Resolution: 2.0.31, 3.0.7

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-7.18.0.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: f76eb45f05fc57f4d5bec69ba3676f8e8599072d

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Vulnerable Library - jquery-3.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - trim-newlines-3.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/trim-newlines/package.json

Dependency Hierarchy:

• stylelint-13.9.0.tgz (Root Library)
  • meow-9.0.0.tgz
    • ❌ trim-newlines-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 2c0aa98e22331ca8beb0c1f31a60ac1f7976a796

Found in base branch: master

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution: trim-newlines - 3.0.1, 4.0.1

Vulnerable Library - tinymce-4.9.11.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.11/tinymce.min.js

Path to vulnerable library: /wp-content/themes/Divi/includes/builder/frontend-builder/assets/vendors/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.11.min.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower.

Publish Date: 2021-10-22

URL: WS-2021-0406

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5h9g-x5rv-25wg

Release Date: 2021-10-22

Fix Resolution: TinyMCE - 5.9.0, tinymce - 5.9.0, tinymce/tinymce - 5.9.0

Vulnerable Library - jquery-3.1.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Libraries - guzzlehttp/guzzle-6.3.3, guzzlehttp/guzzle-6.3.0

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

Guzzle is an open source PHP HTTP client. In affected versions the Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any Cookie header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

Publish Date: 2022-06-10

URL: CVE-2022-31042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f2wf-25xc-69c9

Release Date: 2022-06-10

Fix Resolution: 6.5.7,7.4.4

Vulnerable Libraries - guzzlehttp/guzzle-6.3.3, guzzlehttp/guzzle-6.3.0

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, https to http downgrades did not result in the Authorization header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.

Publish Date: 2022-06-10

URL: CVE-2022-31043

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-w248-ffj2-4v5q

Release Date: 2022-06-10

Fix Resolution: 6.5.7,7.4.4

Vulnerable Libraries - jquery-1.11.1.min.js, jquery-1.11.3.min.js

Found in HEAD commit: f0bccabe236973e3c6d0f68063dabd3ea99e1449

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - bootstrap-3.3.7.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js

Path to vulnerable library: /wp-content/plugins/official-facebook-pixel/vendor/phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.3.7.min.js (Vulnerable Library)

Found in HEAD commit: ab76dd905220f63a5e50d7a6c36543f1d876d52a

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-7.18.0.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: c72f51dc0842d9bbf6ebb749b3217b005da6b45c

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/package.json

Path to vulnerable library: shop.grindmodecypher.com/wp-content/themes/twentytwentyone/node_modules/ini/package.json

Dependency Hierarchy:

• stylelint-13.8.0.tgz (Root Library)
  • global-modules-2.0.0.tgz
    • global-prefix-3.0.0.tgz
      • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 71aa041ac41d7e5c1657a2d660e0f48c6fc21e2f

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6