GithubHelp home page GithubHelp logo

alexrogalskiy / screenshots Goto Github PK

View Code? Open in Web Editor NEW
3.0 3.0 1.0 1.86 MB

๐Ÿ“ธ Styled Screenshots API

Home Page: https://styled-screenshots.vercel.app/

License: GNU General Public License v3.0

Vim Script 0.07% TypeScript 47.77% JavaScript 5.63% Shell 18.11% Dockerfile 5.68% Starlark 12.11% Open Policy Agent 2.93% Python 3.85% Go 2.34% Makefile 1.50%
screenshots typescript screenshot-utility vercel-serverless-functions

screenshots's Introduction

Styled Screenshots

Generate jpeg/png styled screenshots

GitHub tag (latest by date) GitHub Release Date Lines of code GitHub closed issues GitHub closed pull requests GitHub repo size GitHub last commit GitHub GitHub language count GitHub search hit counter GitHub Repository branches GitHub Repository dependents

DeepSource DeepScan grade Tokei Mergify Status Reviewed by Hound DOI dependencies Status devDependencies Status

License: MIT Issue Forks Stars code style Maintainability Total alerts Language grade: JavaScript

codebeat badge Renovatebot Dependabot NewReleases Hits-of-Code ComVer Website

codecov CI GitHub Super-Linter BCH compliance

Gitpod Ready-to-Code Chat Open questions Open bugs

Table of contents

Description

TypeScript Project Status: Active โ€“ The project has reached a stable, usable state and is being actively developed. Project created status Project updated status

Styled Screenshots is a serverless function that generates dynamically styled graph images based on SVG (Scalable Vector Graphics). For the tech stack, Styled Screenshots using Typescript and serverless function from Vercel stack.

How to use

It's simple, you can copy paste this markdown content, like this one:

![Styled Screenshots](https://styled-screenshots.vercel.app/api?url=[value]&width=[value]&height=[value]&fullPage=[value]&type=[value]&encoding=[value]&selector=[value])

There are several options you can use from the list:

Options Description Type Example Query Params
[Url] Json data source url String https://www.google.com/ ?url=[value]
[Width] Chart graph image width Numeric 400 &width=[value]
[Height] Chart graph image height Numeric 400 &height=[value]
[FullPage] Full page viewport Boolean/numeric true/false
[Type] Image content type String jpeg png
[Encoding] Image encoding String base64 binary
[Selector] Html element selector String #element &selector=[value]

Example

This is example of using Styled Screenshots:

![Styled Screenshots](https://styled-screenshots.vercel.app/api?url=https://www.google.com/&width=450&height=250)

Result:

Screenshots

Visitor stats

GitHub page hits

GitHub stars GitHub forks GitHub watchers

Licensing

Styled Screenshots is distributed under LGPL version 3 or later, [License]. LGPLv3 is additional permissions on top of GPLv3.

license

Kubernetes

Running k8s cluster with tilt command by acquiring k8s deployment configuration:

tilt up

Shutting down k8s cluster with provisioned resources removal:

tilt down --delete-namespaces

Authors

Styled Screenshots is maintained by the following GitHub team-members:

  • Author

with community support please contact with us if you have some question or proposition.

Versioning

The project uses SemVer for versioning. For the versions available, see the tags on this repository.

Contribution

Contributors Display

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us (emoji key).

This project follows the all-contributors specification. Contributions of any kind are welcome!

PRs Welcome Github contributors

See also the list of contributors who participated in this project.

Acknowledgement

Stargazers repo roster for @AlexRogalskiy/screenshots

Stargazers over time

Forks

Forkers repo roster for @AlexRogalskiy/screenshots

Issues

issuehunt-to-marktext

Team Tools

alt tag

Styled Screenshots Team would like inform that JetBrains is helping by provided IDE to develop the application. Thanks to its support program for an Open Source projects!

Edit with Gitpod

Styled Screenshots has experimental support for Gitpod, a pre-configured development environment that runs in your browser. To use Gitpod, click the button below and sign in with GitHub. Gitpod also offers a browser add-on, though it is not required.

OpenGraph Card

OpenGraph card

Development Support

Like Styled Screenshots ? Consider buying me a coffee :)

Become a Patron Buy Me A Coffee KoFi

forthebadge forthebadge forthebadge

screenshots's People

Contributors

alexrogalskiy avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar

screenshots's Issues

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/meow/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • del-cli-3.0.0.tgz (Root Library)
    • meow-5.0.0.tgz
      • โŒ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/node_modules/lodash/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-plugin-jest-23.20.0.tgz (Root Library)
    • experimental-utils-2.34.0.tgz
      • typescript-estree-2.34.0.tgz
        • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: b4fa85c746b280007c64ca8951a00de2b87cadbf

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/meow/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • del-cli-3.0.0.tgz (Root Library)
    • meow-5.0.0.tgz
      • โŒ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Warning

These dependencies are deprecated:

Datasource Name Replacement PR?
npm @types/prettier Unavailable
npm codecov Unavailable
npm eslint-plugin-node Available
npm validate-commit-msg Unavailable

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

docker-compose
docker-compose.yml
dockerfile
.gitpod.Dockerfile
Dockerfile
tilt_modules/restart_process/Dockerfile
github-actions
.github/workflows/add-labels.yml
.github/workflows/auto-merge.yml
  • ahmadnassri/action-dependabot-auto-merge v2.3
.github/workflows/backport.yml
  • tibdex/backport v1
  • ubuntu 18.04
.github/workflows/benchmark.yml
  • actions/checkout v2
  • actions/setup-node v2
  • netlify/delta-action v1
.github/workflows/broken-links.yml
  • actions/checkout v2
  • actions/setup-node v2.1.4
.github/workflows/build.yml
  • actions/checkout v2
  • actions/setup-node v1
  • actions/cache v2
  • codecov/codecov-action v1
.github/workflows/changelog.yml
  • ruby/setup-ruby v1
  • actions/cache v2
.github/workflows/check-urls.yml
  • actions/checkout v2
  • trilom/file-changes-action v1.2.4
  • ruby/setup-ruby v1
  • actions/upload-artifact v2
.github/workflows/claim.yml
  • actions/github-script v3.1
.github/workflows/cleanup.yml
  • kolpav/purge-artifacts-action v1
.github/workflows/close-pending.yml
.github/workflows/close_pr.yml
  • superbrothers/close-pull-request v2
  • actions/github v1.0.0
.github/workflows/closing.yml
  • peter-evans/create-or-update-comment v1
  • peter-evans/create-or-update-comment v1
  • ubuntu 18.04
.github/workflows/codeowners-merge.yml
  • actions/checkout v1
  • OSS-Docs-Tools/code-owner-self-merge v1
.github/workflows/codeql-analysis.yml
  • actions/checkout v2
  • github/codeql-action v1
  • github/codeql-action v1
  • github/codeql-action v1
.github/workflows/codespell.yaml
  • actions/checkout v2
.github/workflows/comment_on_issue.yml
  • actions/github-script v3.1
.github/workflows/commitlint.yml
  • actions/checkout v2
  • wagoid/commitlint-github-action v2.1.7
.github/workflows/dependabot-validate.yml
  • actions/checkout v2
  • marocchino/validate-dependabot v1
  • marocchino/sticky-pull-request-comment v2
.github/workflows/docker_updates.yml
  • actions/checkout v2
  • ghe-actions/dockerfile-validator v1
.github/workflows/enforce-labels.yml
  • yogevbd/enforce-label-action 2.2.1
.github/workflows/label-sponsors.yml
  • JasonEtco/is-sponsor-label-action v1
.github/workflows/labels.yml
  • lannonbr/issue-label-manager-action 2.0.0
.github/workflows/labels2.yml
  • actions/checkout v2
  • crazy-max/ghaction-github-labeler v3
.github/workflows/linter.yml
  • actions/checkout v2
  • github/super-linter v3
.github/workflows/lock.yml
  • dessant/lock-threads v2.0.3
.github/workflows/markdown-lint.yml
  • actions/checkout v2
  • actions/setup-node v2
.github/workflows/opengraph-card.yml
  • actions/checkout v2
  • stefanzweifel/git-auto-commit-action v4
.github/workflows/pr-helper.yml
  • Matticusau/pr-helper v1.2.4
.github/workflows/preview.yml
  • actions/checkout v2
  • actions/setup-node v2.1.4
  • actions/cache v2.1.4
  • 8398a7/action-slack v3
.github/workflows/project-card-moved.yml
  • technote-space/auto-card-labeler v1
.github/workflows/pull_request.yml
  • kentaro-m/auto-assign-action v1.1.2
.github/workflows/qawolf.yml
  • actions/checkout v2
  • actions/setup-node v1
  • microsoft/playwright-github-action v1
  • actions/cache v1
  • ubuntu 18.04
.github/workflows/release-changelog.yml
.github/workflows/release-drafter.yml
  • release-drafter/release-drafter v5.7.0
.github/workflows/release-semantic.yml
  • actions/checkout v2
  • actions/setup-node v2
  • actions/cache v1
.github/workflows/release.yml
  • actions/checkout v2
  • haya14busa/action-bumpr v1
  • haya14busa/action-update-semver v1
  • haya14busa/action-cond v1
  • actions/create-release v1
  • actions/checkout v2
  • haya14busa/action-bumpr v1
.github/workflows/remove-labels.yml
  • mondeja/remove-labels-gh-action v1.0.0
  • mondeja/remove-labels-gh-action v1.0.0
  • mondeja/remove-labels-gh-action v1.0.0
.github/workflows/reviewdog.yml
  • actions/checkout v2
  • prologic/action-remark-lint v2
.github/workflows/spellcheck.yml
.github/workflows/stale.yml
  • actions/stale v3
.github/workflows/toc.yml
  • actions/checkout v2
  • stefanzweifel/git-auto-commit-action v4
.github/workflows/unlock-reopened-issues.yml
  • Dunning-Kruger/unlock-issues v1.1
.github/workflows/vale.yml
  • actions/checkout v2
.github/workflows/verify-docs.yml
  • actions/checkout v2
  • actions/setup-node v2
.github/workflows/verify-license.yml
  • actions/checkout v2
.github/workflows/version-update.yml
  • actions/checkout v2
  • stefanzweifel/git-auto-commit-action v4
.github/workflows/versioneye.yml
  • actions/checkout v2
.github/workflows/versioning.yml
  • actions/checkout v2.3.4
  • Actions-R-Us/actions-tagger v2.0.1
.github/workflows/welcome_contributor.yml
  • actions/github-script v3.1
npm
package.json
  • chrome-aws-lambda ^7.0.0
  • env-cmd ^10.1.0
  • isomorphic-unfetch ^3.1.0
  • jsdom ^17.0.0
  • lodash ^4.17.21
  • playwright-chromium ^1.14.0
  • playwright-core ^1.14.0
  • puppeteer-core ^7.0.0
  • @semantic-release/github ^7.2.3
  • @semantic-release/npm ^7.1.3
  • @semantic-release/release-notes-generator ^9.0.3
  • @types/jest ^27.0.1
  • @types/lodash.mergewith ^4.6.6
  • @types/prettier ^2.3.2
  • @typescript-eslint/eslint-plugin ^4.28.4
  • @typescript-eslint/parser ^4.28.4
  • @vercel/node ^1.11.1
  • boxen ^5.0.1
  • codecov 3.8.3
  • conventional-changelog-cli ^2.1.1
  • coveralls ^3.1.1
  • dateformat ^4.5.1
  • del-cli 4.0.1
  • dockerfile_lint ^0.3.4
  • eslint ^7.31.0
  • eslint-config-prettier ^8.3.0
  • eslint-import-resolver-typescript ^2.4.0
  • eslint-plugin-eslint-comments ^3.2.0
  • eslint-plugin-github ^4.1.5
  • eslint-plugin-import ^2.23.4
  • eslint-plugin-jest ^24.4.0
  • eslint-plugin-node ^11.1.0
  • eslint-plugin-prettier ^3.4.0
  • eslint-plugin-spellcheck 0.0.19
  • eslint-plugin-unicorn ^34.0.1
  • eslint-friendly-formatter ^4.0.1
  • git-cz ^4.7.6
  • gradient-string ^1.2.0
  • husky ^7.0.1
  • if-env ^1.0.4
  • jest ^27.0.6
  • jest-circus ^27.0.6
  • jsonlint ^1.6.3
  • jest-fetch-mock ^3.0.3
  • jest-puppeteer ^5.0.4
  • license-checker ^25.0.1
  • markdown-link-check ^3.8.7
  • nodemon ^2.0.12
  • onchange ^7.1.0
  • opener ^1.5.2
  • prettier ^2.1.2
  • pretty-quick ^3.1.0
  • puppeteer ^7.0.0
  • randomcolor ^0.5.4
  • remark-cli ^9.0.0
  • remark-lint-code-block-style ^2.0.1
  • remark-lint-ordered-list-marker-value ^2.0.1
  • remark-preset-davidtheclark ^0.12.0
  • remark-validate-links ^10.0.4
  • semantic-release ^17.4.4
  • qawolf 2.6.1
  • ts-jest ^27.0.5
  • ts-node ^10.1.0
  • typedoc ^0.21.4
  • typescript ^4.1.6
  • validate-commit-msg ^2.14.0
  • node >= 12.x
tilt_modules/tilt_inspector/package.json
  • @tilt.dev/tilt-inspector 0.1.6
nvm
.nvmrc
  • node 14.16.0
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/meow/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • del-cli-3.0.0.tgz (Root Library)
    • meow-5.0.0.tgz
      • โŒ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/npm/node_modules/y18n/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • libnpx-10.2.4.tgz
        • โŒ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/node_modules/lodash/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-plugin-github-4.1.1.tgz (Root Library)
    • eslint-plugin-4.15.0.tgz
      • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: b1a70909b9898a9c925728cd7da0b264180987fa

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8175 (Medium) detected in jpeg-js-0.3.7.tgz

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Library - jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/qawolf/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • qawolf-1.2.0.tgz (Root Library)
    • playwright-core-1.2.0.tgz
      • โŒ jpeg-js-0.3.7.tgz (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-26226 (High) detected in semantic-release-15.14.0.tgz

CVE-2020-26226 - High Severity Vulnerability

Vulnerable Library - semantic-release-15.14.0.tgz

Automated semver compliant package publishing

Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-15.14.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/semantic-release/package.json

Dependency Hierarchy:

  • โŒ semantic-release-15.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.

Publish Date: 2020-11-18

URL: CVE-2020-26226

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r2j6-p67h-q639

Release Date: 2020-11-18

Fix Resolution: 17.2.3

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: screenshots/node_modules/yargs-parser/package.json

Path to vulnerable library: screenshots/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • del-cli-3.0.0.tgz (Root Library)
    • meow-5.0.0.tgz
      • โŒ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: b4fa85c746b280007c64ca8951a00de2b87cadbf

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

WS-2020-0163 (Medium) detected in marked-0.7.0.tgz

WS-2020-0163 - Medium Severity Vulnerability

Vulnerable Library - marked-0.7.0.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/marked/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • โŒ marked-0.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 90390bb99d4bdbcffa3da54c2ea426e69efb4870

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Step up your Open Source Security Game with WhiteSource here

WS-2020-0163 (Medium) detected in marked-0.7.0.tgz

WS-2020-0163 - Medium Severity Vulnerability

Vulnerable Library - marked-0.7.0.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/marked/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • โŒ marked-0.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8175 (Medium) detected in jpeg-js-0.3.7.tgz

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Library - jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/qawolf/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • qawolf-1.2.0.tgz (Root Library)
    • playwright-core-1.2.0.tgz
      • โŒ jpeg-js-0.3.7.tgz (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8175 (Medium) detected in jpeg-js-0.3.7.tgz

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Library - jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: screenshots/node_modules/jpeg-js/package.json

Path to vulnerable library: screenshots/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • qawolf-1.2.0.tgz (Root Library)
    • playwright-core-1.2.0.tgz
      • โŒ jpeg-js-0.3.7.tgz (Vulnerable Library)

Found in HEAD commit: ef2f156796833226a98d84d542bc3cc4f177b2ca

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/meow/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • del-cli-3.0.0.tgz (Root Library)
    • meow-5.0.0.tgz
      • โŒ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8175 (Medium) detected in jpeg-js-0.3.7.tgz

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Library - jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/qawolf/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • qawolf-1.2.0.tgz (Root Library)
    • playwright-core-1.2.0.tgz
      • โŒ jpeg-js-0.3.7.tgz (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-26226 (High) detected in semantic-release-15.14.0.tgz

CVE-2020-26226 - High Severity Vulnerability

Vulnerable Library - semantic-release-15.14.0.tgz

Automated semver compliant package publishing

Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-15.14.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/semantic-release/package.json

Dependency Hierarchy:

  • โŒ semantic-release-15.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 90390bb99d4bdbcffa3da54c2ea426e69efb4870

Vulnerability Details

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.

Publish Date: 2020-11-18

URL: CVE-2020-26226

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r2j6-p67h-q639

Release Date: 2020-11-18

Fix Resolution: 17.2.3

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/npm/node_modules/y18n/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • libnpx-10.2.4.tgz
        • โŒ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/node_modules/lodash/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-plugin-jest-23.20.0.tgz (Root Library)
    • experimental-utils-2.34.0.tgz
      • typescript-estree-2.34.0.tgz
        • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: b4fa85c746b280007c64ca8951a00de2b87cadbf

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: rails/jquery-rails@8f601cb

Release Date: 2020-05-19

Fix Resolution: jquery-rails - 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 7ae73676c92205e649a173506d1764df0765661a

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8175 (Medium) detected in jpeg-js-0.3.7.tgz

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Library - jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/qawolf/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • qawolf-1.2.0.tgz (Root Library)
    • playwright-core-1.2.0.tgz
      • โŒ jpeg-js-0.3.7.tgz (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: screenshots/node_modules/lodash/package.json

Path to vulnerable library: screenshots/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-plugin-github-4.1.1.tgz (Root Library)
    • eslint-plugin-4.15.0.tgz
      • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: b1a70909b9898a9c925728cd7da0b264180987fa

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: screenshots/package.json

Path to vulnerable library: screenshots/node_modules/npm/node_modules/y18n/package.json

Dependency Hierarchy:

  • npm-7.0.10.tgz (Root Library)
    • npm-6.14.11.tgz
      • libnpx-10.2.4.tgz
        • โŒ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: df5ad515ef43bc5d9e0c21b83f9cb7895d6cd96d

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 571fdc24c8184179670367d3935ff8f28587d999

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: screenshots/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: screenshots/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • โŒ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: ab0f7fb5d47cff31a5463349b15383a9a9993c17

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.