osgirl / aimmo Goto Github PK

Vulnerability Details

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

Publish Date: 2018-10-02

URL: CVE-2018-16984

CVSS 3 Score Details (4.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041749

Fix Resolution: The vendor has issued a fix (2.1.2).

The vendor advisory is available at:

https://www.djangoproject.com/weblog/2018/oct/01/security-release/

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/aimmo/game_frontend/node_modules/jest/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• babel-jest-23.6.0.tgz (Root Library)
  • babel-plugin-istanbul-4.1.6.tgz
    • test-exclude-4.2.3.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - jquery-1.11.3.min.js

JavaScript library for DOM operations

path: /aimmo/aimmo/templates/players/base.html

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-1.11.3.min.js (Vulnerable Library)

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js