GithubHelp home page GithubHelp logo

laudatecorpuswebsite1's Introduction

Nodejs Sailjs web application

Sample Nodejs Sailjs web application built on visual studio code.

Language Framework Runtime Platform Author
javascript Sailjs node Azure Web App

Installation

For development, you will need Node.js and a node global package

Node

  • Node installation on Windows

    Just go on official Node.js website and download the installer. Also, be sure to have git available in your PATH, npm might need it (You can find git here).

  • Node installation on Ubuntu

    You can install nodejs and npm easily with apt install, just run the following commands.

    $ sudo apt install nodejs
$ sudo apt install npm

  • Other Operating Systems

    You can find more information about the installation on the official Node.js website and the official NPM website.

If the installation was successful, you should be able to run the following command.

$ node --version
v8.11.3

$ npm --version
6.1.0

If you need to update npm, you can make it using npm! Cool right? After running the following command, just open again the command line and be happy.

$ npm install npm -g

Running

  • Clone this repository

    $ git clone https://github.com/YOUR_USERNAME/REPOSITORY_NAME.git

  • Install dependencies

    $ cd Application
    $ npm install -g

  • Run Application

    $ cd Application
    $ npm start

  • Running tests

    $ cd Tests
    $ npm install -g
    $ npm test

Deploying on Azure

Any change to this repository will result in triggering a workflow to build and deploy this app on azure as an app service. Learn more about Azure App Service and Github Actions.

Contributing

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

License:

See LICENSE.

laudatecorpuswebsite1's People

Contributors

classicvalues avatar renovate[bot] avatar renovate-bot avatar dependabot[bot] avatar

Stargazers

avatar

Watchers

avatar avatar

laudatecorpuswebsite1's Issues

CVE-2021-44906 (High) detected in minimist-1.2.3.tgz - autoclosed

CVE-2021-44906 - High Severity Vulnerability

Vulnerable Library - minimist-1.2.3.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.3.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/minimist/package.json

Dependency Hierarchy:

  • rc-1.2.8.tgz (Root Library)
    • minimist-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

Step up your Open Source Security Game with Mend here

WS-2021-0153 (High) detected in ejs-2.5.7.tgz - autoclosed

WS-2021-0153 - High Severity Vulnerability

Vulnerable Library - ejs-2.5.7.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.5.7.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/sails/node_modules/ejs/package.json

Dependency Hierarchy:

  • sails-1.5.2.tgz (Root Library)
    • ejs-2.5.7.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Step up your Open Source Security Game with Mend here

CVE-2022-25883 (High) detected in multiple libraries

CVE-2022-25883 - High Severity Vulnerability

Vulnerable Libraries - semver-5.7.1.tgz, semver-5.4.1.tgz, semver-4.3.6.tgz

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/make-dir/node_modules/semver/package.json

Dependency Hierarchy:

  • grunt-contrib-less-3.0.0.tgz (Root Library)
    • less-4.1.1.tgz
      • make-dir-2.1.0.tgz
        • semver-5.7.1.tgz (Vulnerable Library)
semver-5.4.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.4.1.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/semver/package.json

Dependency Hierarchy:

  • applicationinsights-2.3.6.tgz (Root Library)
    • cls-hooked-4.2.2.tgz
      • semver-5.4.1.tgz (Vulnerable Library)
semver-4.3.6.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-4.3.6.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/sails/node_modules/semver/package.json,/Application/node_modules/skipper/node_modules/semver/package.json

Dependency Hierarchy:

  • sails-1.5.3.tgz (Root Library)
    • semver-4.3.6.tgz (Vulnerable Library)

Found in HEAD commit: 294ab8637d28454734d462394da6e29b0f867a7b

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (applicationinsights): 3.0.0

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (sails): 1.5.7

Step up your Open Source Security Game with Mend here

WS-2018-0148 (High) detected in utile-0.3.0.tgz - autoclosed

WS-2018-0148 - High Severity Vulnerability

Vulnerable Library - utile-0.3.0.tgz

A drop-in replacement for `util` with some additional advantageous functions

Library home page: https://registry.npmjs.org/utile/-/utile-0.3.0.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/utile/package.json

Dependency Hierarchy:

  • sails-1.5.0.tgz (Root Library)
    • prompt-1.1.0.tgz
      • utile-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

The utile npm module, version 0.3.0, allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON).

Publish Date: 2018-07-16

URL: WS-2018-0148

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0148

Release Date: 2018-01-16

Fix Resolution: JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03

Step up your Open Source Security Game with WhiteSource here

CVE-2021-43138 (High) detected in async-0.2.10.tgz, async-0.9.2.tgz - autoclosed

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Libraries - async-0.2.10.tgz, async-0.9.2.tgz

async-0.2.10.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-0.2.10.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/@sailshq/nedb/node_modules/async/package.json

Dependency Hierarchy:

  • sails-disk-2.1.2.tgz (Root Library)
    • nedb-1.8.2.tgz
      • async-0.2.10.tgz (Vulnerable Library)
async-0.9.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-0.9.2.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/prompt/node_modules/async/package.json

Dependency Hierarchy:

  • sails-1.5.3.tgz (Root Library)
    • prompt-1.2.1.tgz
      • async-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

Step up your Open Source Security Game with Mend here

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz - autoclosed

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • sails-disk-2.1.1.tgz (Root Library)
    • nedb-1.8.1.tgz
      • mkdirp-0.5.1.tgz
        • minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with Mend here

CVE-2023-38504 (High) detected in sails-1.5.3.tgz

CVE-2023-38504 - High Severity Vulnerability

Vulnerable Library - sails-1.5.3.tgz

API-driven framework for building realtime apps, using MVC conventions (based on Express and Socket.io)

Library home page: https://registry.npmjs.org/sails/-/sails-1.5.3.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/sails/package.json

Dependency Hierarchy:

  • sails-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 294ab8637d28454734d462394da6e29b0f867a7b

Found in base branch: master

Vulnerability Details

Sails is a realtime MVC Framework for Node.js. In Sails apps prior to version 1.5.7,, an attacker can send a virtual request that will cause the node process to crash. This behavior was fixed in Sails v1.5.7. As a workaround, disable the sockets hook and remove the sails.io.js client.

Publish Date: 2023-07-27

URL: CVE-2023-38504

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gpw9-fwm8-7rx7

Release Date: 2023-07-27

Fix Resolution: 1.5.7

Step up your Open Source Security Game with Mend here

CVE-2021-29469 (High) detected in redis-2.8.0.tgz - autoclosed

CVE-2021-29469 - High Severity Vulnerability

Vulnerable Library - redis-2.8.0.tgz

Redis client library

Library home page: https://registry.npmjs.org/redis/-/redis-2.8.0.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/redis/package.json

Dependency Hierarchy:

  • sails-1.5.2.tgz (Root Library)
    • machinepack-redis-2.0.6.tgz
      • redis-2.8.0.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1.

Publish Date: 2021-04-23

URL: CVE-2021-29469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35q2-47q7-3pc3

Release Date: 2021-04-23

Fix Resolution: redis - 3.1.1

Step up your Open Source Security Game with Mend here

CVE-2023-26136 (Critical) detected in tough-cookie-4.1.2.tgz

CVE-2023-26136 - Critical Severity Vulnerability

Vulnerable Library - tough-cookie-4.1.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.2.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • applicationinsights-2.3.6.tgz (Root Library)
    • core-http-2.2.7.tgz
      • tough-cookie-4.1.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (applicationinsights): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2023-0842 (Medium) detected in xml2js-0.4.23.tgz

CVE-2023-0842 - Medium Severity Vulnerability

Vulnerable Library - xml2js-0.4.23.tgz

Simple XML to JavaScript object converter.

Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/xml2js/package.json

Dependency Hierarchy:

  • applicationinsights-2.3.6.tgz (Root Library)
    • core-http-2.2.7.tgz
      • xml2js-0.4.23.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Publish Date: 2023-04-05

URL: CVE-2023-0842

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842

Release Date: 2023-04-05

Fix Resolution (xml2js): 0.5.0

Direct dependency fix Resolution (applicationinsights): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2022-0436 (Medium) detected in grunt-1.4.1.tgz - autoclosed

CVE-2022-0436 - Medium Severity Vulnerability

Vulnerable Library - grunt-1.4.1.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-1.4.1.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/grunt/package.json

Dependency Hierarchy:

  • grunt-1.4.1.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.

Publish Date: 2022-04-12

URL: CVE-2022-0436

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0436

Release Date: 2022-04-12

Fix Resolution: grunt - 1.5.2

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0235 (Medium) detected in node-fetch-2.6.6.tgz - autoclosed

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/node-fetch/package.json

Dependency Hierarchy:

  • applicationinsights-2.1.9.tgz (Root Library)
    • core-http-2.2.2.tgz
      • node-fetch-2.6.6.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7788 (High) detected in ini-1.3.4.tgz - autoclosed

CVE-2020-7788 - High Severity Vulnerability

Vulnerable Library - ini-1.3.4.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/ini/package.json

Dependency Hierarchy:

  • rc-1.2.8.tgz (Root Library)
    • ini-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: 6dfa417c7331469147ac5af6eeeea68f7514fe88

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Step up your Open Source Security Game with WhiteSource here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

  • WARN: Fallback to renovate.json file as a preset is deprecated, please use a default.json file instead.
  • WARN: Using npm packages for Renovate presets is now deprecated. Please migrate to repository-based presets instead.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

circleci
.circleci/config.yml
  • node 5.0.3
dockerfile
Application/Dockerfile
  • node 19.3.0
github-actions
.github/workflows/azure.yml
  • actions/checkout v3
  • actions/setup-node v3
  • azure/webapps-deploy v2
.github/workflows/codescaner-analysis.yml
  • actions/checkout v3
  • actions/cache v3
  • github/codeql-action v2
.github/workflows/deno.yml
  • actions/checkout v3
  • denolib/setup-deno 3c5f954c869f1b0d106e129797480905587250f5
.github/workflows/devops-starter-workflow.yml
  • azure/login v1
  • azure/arm-deploy v1
  • azure/docker-login v1
  • azure/login v1
  • azure/arm-deploy v1
  • azure/webapps-deploy v2
  • actions/checkout v3
  • actions/setup-node v3
.github/workflows/google.yml
  • actions/checkout v3
  • google-github-actions/setup-gcloud v1.0.1
  • google-github-actions/get-gke-credentials v1.0.1
.github/workflows/googleXs.yml
  • actions/checkout v3
  • google-github-actions/setup-gcloud v1.0.1
  • defensecode/thunderscan-action v1.0
  • google-github-actions/get-gke-credentials v1.0.1
.github/workflows/jekyll.yml
  • actions/checkout v3
.github/workflows/manual.yml
.github/workflows/node.js.yml
  • actions/checkout v3
  • actions/setup-node v3
.github/workflows/npm-publish.yml
  • actions/checkout v3
  • actions/setup-node v3
  • actions/checkout v3
  • actions/setup-node v3
  • actions/checkout v3
  • actions/setup-node v3
.github/workflows/ossar-analysis.yml
  • actions/checkout v3
  • github/codeql-action v2
.github/workflows/python-app.yml
  • actions/checkout v3
  • actions/setup-python v4
npm
Application/package.json
  • applicationinsights 2.3.6
  • ejs 3.1.8
  • grunt 1.5.3
  • grunt-contrib-clean 2.0.1
  • grunt-contrib-coffee 2.1.0
  • grunt-contrib-concat 2.1.0
  • grunt-contrib-copy 1.0.0
  • grunt-contrib-cssmin 4.0.0
  • grunt-contrib-jst 2.0.0
  • grunt-contrib-less 3.0.0
  • grunt-contrib-uglify 5.2.2
  • grunt-contrib-watch 1.1.0
  • grunt-sails-linker 1.0.4
  • grunt-sync 0.8.2
  • include-all 4.0.3
  • rc 1.2.8
  • sails-disk 2.1.2
  • sails 1.5.3
  • natives 1.1.6
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2022-24999 (High) detected in qs-6.5.1.tgz, qs-6.7.0.tgz

CVE-2022-24999 - High Severity Vulnerability

Vulnerable Libraries - qs-6.5.1.tgz, qs-6.7.0.tgz

qs-6.5.1.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.1.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/qs/package.json

Dependency Hierarchy:

  • grunt-contrib-watch-1.1.0.tgz (Root Library)
    • tiny-lr-1.1.1.tgz
      • qs-6.5.1.tgz (Vulnerable Library)
qs-6.7.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/express/node_modules/qs/package.json,/Application/node_modules/body-parser/node_modules/qs/package.json

Dependency Hierarchy:

  • sails-1.5.3.tgz (Root Library)
    • express-4.17.1.tgz
      • qs-6.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 294ab8637d28454734d462394da6e29b0f867a7b

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (sails): 1.5.4

Step up your Open Source Security Game with Mend here

CVE-2021-44908 (High) detected in sails-1.5.2.tgz - autoclosed

CVE-2021-44908 - High Severity Vulnerability

Vulnerable Library - sails-1.5.2.tgz

API-driven framework for building realtime apps, using MVC conventions (based on Express and Socket.io)

Library home page: https://registry.npmjs.org/sails/-/sails-1.5.2.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/sails/package.json

Dependency Hierarchy:

  • sails-1.5.2.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules().

Publish Date: 2022-03-17

URL: CVE-2021-44908

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44908

Release Date: 2022-03-17

Fix Resolution: sails - 1.0.0,0.12.10,0.12.2-0,0.12.11

Step up your Open Source Security Game with Mend here

CVE-2021-3765 (High) detected in validator-5.7.0.tgz - autoclosed

CVE-2021-3765 - High Severity Vulnerability

Vulnerable Library - validator-5.7.0.tgz

String validation and sanitization

Library home page: https://registry.npmjs.org/validator/-/validator-5.7.0.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/validator/package.json

Dependency Hierarchy:

  • sails-1.5.2.tgz (Root Library)
    • machine-15.2.2.tgz
      • anchor-1.4.0.tgz
        • validator-5.7.0.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

validator.js is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-11-02

URL: CVE-2021-3765

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qgmg-gppg-76g5

Release Date: 2021-11-02

Fix Resolution: validator - 13.7.0

Step up your Open Source Security Game with Mend here

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz - autoclosed

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/minimatch/package.json

Dependency Hierarchy:

  • grunt-1.5.3.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2024-29041 (Medium) detected in express-4.17.1.tgz

CVE-2024-29041 - Medium Severity Vulnerability

Vulnerable Library - express-4.17.1.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.17.1.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/express/package.json

Dependency Hierarchy:

  • sails-1.5.3.tgz (Root Library)
    • express-4.17.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution: express - 4.19.0

Step up your Open Source Security Game with Mend here

CVE-2023-29827 (Medium) detected in ejs-3.1.8.tgz, ejs-3.1.7.tgz - autoclosed

CVE-2023-29827 - Medium Severity Vulnerability

Vulnerable Libraries - ejs-3.1.8.tgz, ejs-3.1.7.tgz

ejs-3.1.8.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.8.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/ejs/package.json

Dependency Hierarchy:

  • ejs-3.1.8.tgz (Vulnerable Library)
ejs-3.1.7.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.7.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/sails/node_modules/ejs/package.json

Dependency Hierarchy:

  • sails-1.5.3.tgz (Root Library)
    • ejs-3.1.7.tgz (Vulnerable Library)

Found in HEAD commit: 294ab8637d28454734d462394da6e29b0f867a7b

Found in base branch: master

Vulnerability Details

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.

Publish Date: 2023-05-04

URL: CVE-2023-29827

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-29078 (High) detected in ejs-2.5.7.tgz - autoclosed

CVE-2022-29078 - High Severity Vulnerability

Vulnerable Library - ejs-2.5.7.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.5.7.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/node_modules/sails/node_modules/ejs/package.json

Dependency Hierarchy:

  • sails-1.5.2.tgz (Root Library)
    • ejs-2.5.7.tgz (Vulnerable Library)

Found in HEAD commit: cf94c4c1217dc1a4ea136a1e5d42cf39e1928261

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution: ejs - v3.1.7

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.