Vulnerable Library - jquery-1.12.4.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/index.html

Path to vulnerable library: /static/jquery-ui-1.12.1.custom/external/jquery/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.12.4.js (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Libraries - jquery-1.8.1.min.js, jquery-1.3.2.min.js, jquery-1.12.4.js

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Libraries - minimatch-0.3.0.tgz, minimatch-0.2.14.tgz, minimatch-2.0.10.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-0.9.2.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Vulnerable Libraries - lodash-0.9.2.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-10-21

Fix Resolution: lodash - 4.17.19

Vulnerable Library - xmlbuilder-2.6.5.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-2.6.5.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

• grunt-jscs-2.1.0.tgz (Root Library)
  • jscs-2.1.1.tgz
    • ❌ xmlbuilder-2.6.5.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: oozcitak/xmlbuilder-js@bbf929a

Release Date: 2020-03-23

Fix Resolution: 9.0.5

Vulnerable Libraries - jquery-1.8.1.min.js, jquery-1.3.2.min.js

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Vulnerable Library - utile-0.2.1.tgz

A drop-in replacement for `util` with some additional advantageous functions

Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/utile/package.json

Dependency Hierarchy:

• grunt-jscs-2.1.0.tgz (Root Library)
  • jscs-2.1.1.tgz
    • prompt-0.2.14.tgz
      • ❌ utile-0.2.1.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

The utile npm module, version 0.3.0, allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON).

Publish Date: 2018-07-16

URL: WS-2018-0148

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - pathval-0.1.1.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-0.1.1.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/pathval/package.json

Dependency Hierarchy:

• grunt-jscs-2.1.0.tgz (Root Library)
  • jscs-2.1.1.tgz
    • ❌ pathval-0.1.1.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

pathval before version 1.1.1 is vulnerable to prototype pollution.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Libraries - underscore.string-2.2.1.tgz, underscore.string-2.4.0.tgz, underscore.string-2.3.3.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

Publish Date: 2018-06-07

URL: CVE-2017-16116

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/745

Release Date: 2018-06-07

Fix Resolution: 3.3.5

Vulnerable Library - underscore-1.7.0.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.7.0.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/underscore/package.json

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • js-yaml-2.0.5.tgz
    • argparse-0.1.16.tgz
      • ❌ underscore-1.7.0.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution: underscore - 1.12.1,1.13.0-2

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/underscore.string/test/test.html

Path to vulnerable library: /static/jquery-ui-1.12.1.custom/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.3.2.min.js (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

Vulnerable Library - getobject-0.1.0.tgz

get.and.set.deep.objects.easily = true

Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/getobject/package.json

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • ❌ getobject-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-12-29

URL: CVE-2020-28282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/getobject

Release Date: 2020-12-29

Fix Resolution: getobject - 1.0.0

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/js-yaml/package.json

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution: js-yaml - 3.13.0

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-0.9.2.tgz, lodash-2.4.2.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Libraries - jquery-1.12.4.js, jquery-1.8.1.min.js

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/js-yaml/package.json

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

Vulnerable Library - mout-0.11.1.tgz

Modular Utilities

Library home page: https://registry.npmjs.org/mout/-/mout-0.11.1.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/mout/package.json

Dependency Hierarchy:

• commitplease-2.3.0.tgz (Root Library)
  • ❌ mout-0.11.1.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Publish Date: 2020-12-11

URL: CVE-2020-7792

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - mime-1.2.7.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.7.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/testswarm/node_modules/request/node_modules/mime/package.json

Dependency Hierarchy:

• testswarm-1.1.0.tgz (Root Library)
  • request-2.12.0.tgz
    • ❌ mime-1.2.7.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution: 1.4.1,2.0.3

Vulnerable Library - grunt-0.4.5.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-0.4.5.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: /static/jquery-ui-1.12.1.custom/node_modules/grunt/package.json

Dependency Hierarchy:

• ❌ grunt-0.4.5.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Publish Date: 2020-09-03

URL: CVE-2020-7729

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1684

Release Date: 2020-10-27

Fix Resolution: grunt - 1.3.0

Vulnerable Libraries - jquery-1.3.2.min.js, jquery-1.8.1.min.js

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Libraries - jquery-1.8.1.min.js, jquery-1.12.4.js

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

Vulnerable Library - request-2.12.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.12.0.tgz

Path to dependency file: Indecrypt-2/static/jquery-ui-1.12.1.custom/package.json

Path to vulnerable library: Indecrypt-2/static/jquery-ui-1.12.1.custom/node_modules/testswarm/node_modules/request/package.json

Dependency Hierarchy:

• testswarm-1.1.0.tgz (Root Library)
  • ❌ request-2.12.0.tgz (Vulnerable Library)

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-06-04

Fix Resolution: 2.47.1,2.67.1

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-0.9.2.tgz, lodash-3.10.1.tgz

Found in HEAD commit: be5e35bc27ca92f0532d889bc304ace229cc56cc

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5