Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

Found in HEAD commit: 8cae429b51e5cec3e9216d18427b6017b473bb7a

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.2

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/core/node_modules/serialize-javascript/package.json,/tmp/ws-scm/best-shot/packages/core/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• copy-webpack-plugin-5.1.1.tgz (Root Library)
  • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a8953d0b43d31e6060e766d5d41ffe989e9fe8c6

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/best-shot/node_modules/figlet/examples/front-end/index.htm

Path to vulnerable library: /best-shot/node_modules/figlet/examples/front-end/index.htm

Dependency Hierarchy:

• ❌ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: e42e3ebeb5ecd5c7903945143dfe941b96ec5692

Vulnerability Details

The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

Publish Date: 2019-10-23

URL: CVE-2015-9521

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-10-23

Fix Resolution: 2.2.0

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /tmp/ws-scm/best-shot/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/marked/package.json

Dependency Hierarchy:

• docsify-cli-4.3.0.tgz (Root Library)
  • docsify-4.9.4.tgz
    • ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82

Vulnerability Details

marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Publish Date: 2019-07-15

URL: WS-2019-0169

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/812

Release Date: 2019-07-15

Fix Resolution: 0.6.2

Vulnerable Library - mem-3.0.1.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-3.0.1.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/mem/package.json

Dependency Hierarchy:

• webpack-serve-2.0.3.tgz (Root Library)
  • ❌ mem-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2019-05-30

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

Vulnerable Libraries - jquery-1.12.4.min.js, jquery-1.7.1.min.js

Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /tmp/ws-scm/best-shot/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/marked/package.json

Dependency Hierarchy:

• docsify-cli-4.3.0.tgz (Root Library)
  • docsify-4.9.4.tgz
    • ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82

Vulnerability Details

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.

Publish Date: 2019-03-17

URL: WS-2019-0024

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1679550

Release Date: 2019-03-17

Fix Resolution: 0.6.1

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/decompress/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-gifsicle-6.0.1.tgz
    • gifsicle-4.0.1.tgz
      • bin-build-3.0.0.tgz
        • ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 3bb086eec9a316bd798ebab9bec2ac54357eebff

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - ws-1.1.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz

Path to dependency file: /tmp/ws-scm/best-shot/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/ws/package.json

Dependency Hierarchy:

• docsify-cli-4.3.0.tgz (Root Library)
  • livereload-0.7.0.tgz
    • ❌ ws-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82

Vulnerability Details

Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Publish Date: 2017-11-08

URL: WS-2017-0421

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/550/versions

Release Date: 2019-01-24

Fix Resolution: 3.3.1

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/dot-prop/package.json,/tmp/ws-scm/best-shot/packages/preset-style/node_modules/dot-prop/package.json

Dependency Hierarchy:

• cssnano-4.1.10.tgz (Root Library)
  • cssnano-preset-default-4.0.7.tgz
    • postcss-merge-rules-4.0.3.tgz
      • postcss-selector-parser-3.1.1.tgz
        • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 51d30335ac709bc663f8c932fa24f78deb7abcda

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/best-shot/node_modules/figlet/examples/front-end/index.htm

Path to vulnerable library: /best-shot/node_modules/figlet/examples/front-end/index.htm

Dependency Hierarchy:

• ❌ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: jquery/jquery@753d591

Release Date: 2019-03-25

Fix Resolution: Replace or update the following files: core.js, core.js

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• webpack-dev-server-3.10.3.tgz (Root Library)
  • yargs-12.0.5.tgz
    • ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 7e63708c8ad3a0eb621e66e23ba61b9b9091c8ef

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: 0870141f23f0f6d1ea27c0f452cd606a07bc6342

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /tmp/ws-scm/best-shot/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/livereload/node_modules/braces/package.json

Dependency Hierarchy:

• docsify-cli-4.3.0.tgz (Root Library)
  • livereload-0.7.0.tgz
    • chokidar-1.7.0.tgz
      • anymatch-1.3.2.tgz
        • micromatch-2.3.11.tgz
          • ❌ braces-1.8.5.tgz (Vulnerable Library)

Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/sockjs/examples/echo/index.html

Path to vulnerable library: /best-shot/packages/dev-server/node_modules/sockjs/examples/echo/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/express-3.x/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/express/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/hapi/html/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/multiplex/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: d55971df321316923fe09935f3912bd976b5c8da

Vulnerability Details

In jQuery before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - mem-3.0.1.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-3.0.1.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/mem/package.json

Dependency Hierarchy:

• webpack-serve-2.0.3.tgz (Root Library)
  • ❌ mem-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: cf2ae09d8554a43375c2ecb58fb7129a9df6f4fe

Vulnerability Details

Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.

Publish Date: 2019-12-01

URL: WS-2019-0307

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/best-shot/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.43.0.tgz (Root Library)
  • node-libs-browser-2.2.1.tgz
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.2.0.tgz
        • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: f98bcd3402d2bc1b4a7a01da891e5f6d6c31fb6c

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html,/best-shot/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /tmp/ws-scm/best-shot/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/marked/package.json

Dependency Hierarchy:

• docsify-cli-4.3.0.tgz (Root Library)
  • docsify-4.9.4.tgz
    • ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82

Vulnerability Details

marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.

Publish Date: 2019-09-05

URL: WS-2019-0209

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1076

Release Date: 2019-09-05

Fix Resolution: 0.7.0

Vulnerable Libraries - jquery-1.12.4.min.js, jquery-1.7.1.min.js

Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/lodash/package.json,/tmp/ws-scm/best-shot/packages/dev-server/node_modules/lodash/package.json,/best-shot/packages/dev-server/node_modules/lodash/package.json,/best-shot/packages/dev-server/node_modules/lodash/package.json

Dependency Hierarchy:

• optimize-css-assets-webpack-plugin-5.0.3.tgz (Root Library)
  • last-call-webpack-plugin-3.0.0.tgz
    • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 686f0921735bf909d78b591cd08995e46826027a

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/best-shot/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.43.0.tgz (Root Library)
  • node-libs-browser-2.2.1.tgz
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.2.0.tgz
        • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 399375ae76f002a0bacca7efe96f39db0b0ecd49

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

.github/workflows/bring-it.yaml

package.json

• react ~18.3.1
• react-dom ~18.3.1
• vue ^3.4.27
• @babel/core ^7.24.5
• @bring-it/npm ^0.5.4
• @nice-move/cli ^0.11.12
• @nice-move/eslint-config-base ^0.11.8
• @nice-move/prettier-config ^0.12.3
• @nice-move/stylelint-config ^0.10.6
• @nice-move/syncpack-config ^0.1.3
• @nice-move/tsconfig ^0.2.3
• ava ^6.1.3
• eslint ^8.57.0
• eslint-plugin-ava ^14.0.0
• garou ^0.7.5
• nodemon ^3.1.0
• prettier ^3.2.5
• stylelint ^16.5.0
• syncpack ^12.3.2
• typescript ~5.4.5
• webpack ^5.91.0
• pnpm 9.1.1

packages/analyzer/package.json

• webpack-bundle-analyzer ^4.10.2

packages/best-shot/package.json

• terser ^5.31.0
• terser-webpack-plugin ^5.3.10
• webpack ^5.91.0
• yaml-loader ^0.8.1

packages/cli/package.json

• chalk ^5.3.0
• cheetor ^0.13.0
• webpackbar ^6.0.1

packages/config/package.json

• chalk ^5.3.0
• prompts ^2.4.2

packages/core/package.json

• @best-shot/webpack-chain ^8.1.5
• browserslist ^4.23.0
• case-sensitive-paths-webpack-plugin ^2.4.0
• chalk ^5.3.0
• copy-webpack ^4.2.0
• deepmerge ^4.3.1
• ext-to-regexp ^0.1.0
• json-minimizer-webpack-plugin ^5.0.0
• slash ^5.1.0
• slash-to-regexp ^0.0.4
• terser ^5.31.0
• terser-webpack-plugin ^5.3.10
• yaml-loader ^0.8.1

packages/dev-server/package.json

• chalk ^5.3.0
• ejs ^3.1.10
• express ^4.19.2
• launch-editor-middleware ^2.6.1
• webpack-dev-server ^5.0.4
• webpack-dev-server-waitpage ^3.0.0

packages/env/package.json

• @ltd/j-toml ^1.38.0
• chalk ^5.3.0
• flat ^6.0.1
• ini ^4.1.2
• yaml ^2.4.2

packages/inspector/package.json

• fs-extra ^11.2.0
• javascript-stringify ^2.1.0
• sort-keys ^5.0.0

packages/no-cache-loader/package.json

packages/preset-asset/package.json

• @astropub/codecs ^0.4.4
• @sindresorhus/transliterate ^1.6.0
• @volue/wasm-codecs-gifsicle ^1.0.0
• ext-to-regexp ^0.1.0
• image-minimizer-webpack-plugin ^4.0.0
• svgo ^3.3.2
• svgo-config ^0.7.0

packages/preset-babel/package.json

• @babel/preset-typescript ^7.24.1
• babel-loader ^9.1.3
• babel-preset-evergreen ^0.9.15
• browserslist ^4.23.0
• ext-to-regexp ^0.1.0
• slash-to-regexp ^0.0.4

packages/preset-react/package.json

• @babel/plugin-transform-react-constant-elements ^7.24.1
• @babel/plugin-transform-react-inline-elements ^7.24.1
• @babel/preset-react ^7.24.1
• @pmmmwh/react-refresh-webpack-plugin ^0.5.13
• babel-plugin-transform-react-remove-prop-types ^0.4.24
• react-refresh ^0.14.2
• settingz ^0.2.0

packages/preset-style/package.json

• css-loader ^7.1.1
• css-minimizer-webpack-plugin ^7.0.0
• cssnano ^7.0.1
• ext-to-regexp ^0.1.0
• less ^4.2.0
• less-loader ^12.2.0
• mini-css-extract-plugin ^2.9.0
• postcss ^8.4.38
• postcss-loader ^8.1.1
• postcss-preset-evergreen ^0.5.9
• resolve-url-loader ^5.0.0
• sass ^1.77.1
• sass-loader ^14.2.1
• settingz ^0.2.0
• slash-to-regexp ^0.0.4
• style-loader ^4.0.0

packages/preset-vue/package.json

• @best-shot/vue-loader 17.4.3
• css-loader ^7.1.1
• ext-to-regexp ^0.1.0

packages/preset-web/package.json

• ext-to-regexp ^0.1.0
• html-add-asset-webpack-plugin ^0.2.0
• html-minimizer-webpack-plugin ^5.0.0
• html-webpack-plugin ^5.6.0
• micro-tpl-loader ^0.1.0
• slash ^5.1.0
• slash-to-regexp ^0.0.4
• suffix ^1.0.0
• webpack-subresource-integrity 5.2.0-rc.1

packages/validator/package.json

• ajv ^8.13.0
• ajv-formats ^3.0.1
• ajv-keywords ^5.1.0

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json

Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• webpack-dev-server-3.10.3.tgz (Root Library)
  • yargs-12.0.5.tgz
    • ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 678f34f88b46ed64a2e6bc8f1e87a619d618f179

Vulnerability Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Publish Date: 2020-05-01

URL: WS-2020-0068

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/yargs-parser

Release Date: 2020-05-04

Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1