dmyers87 / commercial-marketplace-saas-manual-on-boarding Goto Github PK
View Code? Open in Web Editor NEWThis project forked from factioninc/commercial-marketplace-saas-manual-on-boarding
Contoso Sample
License: MIT License
This project forked from factioninc/commercial-marketplace-saas-manual-on-boarding
Contoso Sample
License: MIT License
This is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg
Dependency Hierarchy:
Found in base branch: main
Azure Identity Library for .NET Information Disclosure Vulnerability
Publish Date: 2024-04-09
URL: CVE-2024-29992
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wvxc-855f-jvrv
Release Date: 2024-04-09
Fix Resolution: Azure.Identity - 1.11.0
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
Client-side form validation made easy
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.17.0/jquery.validate.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery-validation/dist/jquery.validate.js
Dependency Hierarchy:
Client-side form validation made easy
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.17.0/jquery.validate.min.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery-validation/dist/jquery.validate.min.js
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch.
Publish Date: 2022-07-14
URL: CVE-2022-31147
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-ffmh-x56j-9rc3
Release Date: 2022-07-14
Fix Resolution: jquery-validation - 1.19.5
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.js
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Provides types for encoding and escaping strings for use in JavaScript, HyperText Markup Language (H...
Library home page: https://api.nuget.org/packages/system.text.encodings.web.4.5.0.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /usr/share/dotnet/sdk/NuGetFallbackFolder/system.text.encodings.web/4.5.0/system.text.encodings.web.4.5.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
.NET Core Remote Code Execution Vulnerability
Publish Date: 2021-02-25
URL: CVE-2021-26701
Base Score Metrics:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.min.js
Dependency Hierarchy:
Found in base branch: main
Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.
Publish Date: 2023-06-26
URL: CVE-2020-23064
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2023-06-26
Fix Resolution: jquery - 3.5.0
Client-side form validation made easy
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.17.0/jquery.validate.min.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery-validation/dist/jquery.validate.min.js
Dependency Hierarchy:
Client-side form validation made easy
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.17.0/jquery.validate.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery-validation/dist/jquery.validate.js
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.
Publish Date: 2021-01-13
URL: CVE-2021-21252
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jxwx-85vp-gvwm
Release Date: 2021-01-13
Fix Resolution: jquery-validation - 1.19.3
ASP.NET Core middleware that enables an application to receive an OpenID Connect bearer token.
This...
Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.authentication.jwtbearer.5.0.0.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.authentication.jwtbearer/5.0.0/microsoft.aspnetcore.authentication.jwtbearer.5.0.0.nupkg
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
ASP.NET Core and Visual Studio Information Disclosure Vulnerability
Publish Date: 2021-08-12
URL: CVE-2021-34532
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q7cg-43mg-qp69
Release Date: 2021-08-12
Fix Resolution: Microsoft.AspNetCore.Authentication.JwtBearer - 2.1.30, 3.1.18, 5.0.9
Pure C# implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) by Stark Bank
Library home page: https://api.nuget.org/packages/starkbank-ecdsa.1.2.0.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/starkbank-ecdsa/1.2.0/starkbank-ecdsa.1.2.0.nupkg
Dependency Hierarchy:
Found in base branch: main
The verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) 1.3.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.
Publish Date: 2021-11-09
URL: CVE-2021-43569
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j3jw-j2j8-2wv9
Release Date: 2021-11-09
Fix Resolution: starkbank-ecdsa - 1.3.2
Includes types that provide support for creating, serializing and validating JSON Web Tokens.
Library home page: https://api.nuget.org/packages/system.identitymodel.tokens.jwt.6.7.1.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/6.7.1/system.identitymodel.tokens.jwt.6.7.1.nupkg
Dependency Hierarchy:
Includes types that provide support for creating, serializing and validating JSON Web Tokens.
Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.6.7.1.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.7.1/microsoft.identitymodel.jsonwebtokens.6.7.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
Microsoft Identity Denial of service vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-21319
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8g9c-28fc-mcx2
Release Date: 2024-01-09
Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2
This is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg
Dependency Hierarchy:
Found in base branch: main
Azure Identity SDK Remote Code Execution Vulnerability
Publish Date: 2023-10-10
URL: CVE-2023-36414
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36414
Release Date: 2023-10-10
Fix Resolution: Azure.Identity - 1.10.2
Targets files to enable the Visual Studio Tools for Containers.
Library home page: https://api.nuget.org/packages/microsoft.visualstudio.azure.containers.tools.targets.1.10.8.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.visualstudio.azure.containers.tools.targets/1.10.8/microsoft.visualstudio.azure.containers.tools.targets.1.10.8.nupkg,/zure.containers.tools.targets/1.10.8/microsoft.visualstudio.azure.containers.tools.targets.1.10.8.nupkg
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS). \n\nThe serialization and deserialization path have different properties regarding the issue.\n\nDeserializing methods (like JsonConvert.DeserializeObject
) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of {a:{a:{...
input) is needed to achieve the latency over 10 seconds, depending on the hardware.\n\nSerializing methods (like JsonConvert.Serialize
or JObject.ToString
) will throw StackOverFlow exception with the nesting level of around 20k.\n\nTo mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set MaxDepth
parameter in the JsonSerializerSettings
. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with Newtonsoft.Json.JsonReaderException
:\n\n \nJsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };\n
\n\nRepro code:\n\n//Create a string representation of an highly nested object (JSON serialized)\nint nRep = 25000;\nstring json = string.Concat(Enumerable.Repeat(\"{a:\", nRep)) + \"1\" +\n string.Concat(Enumerable.Repeat(\"}\", nRep));\n\n//Parse this object (leads to high CPU/RAM consumption)\nvar parsedJson = JsonConvert.DeserializeObject(json);\n\n// Methods below all throw stack overflow with nRep around 20k and higher\n// string a = parsedJson.ToString();\n// string b = JsonConvert.SerializeObject(parsedJson);\n
\n\n### Additional affected product and version information\nThe original statement about the problem only affecting IIS applications is misleading. Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.**
Publish Date: 2022-06-22
URL: WS-2022-0161
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-06-22
Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0
Coverlet is a cross platform code coverage library for .NET, with support for line, branch and method coverage.
Library home page: https://api.nuget.org/packages/coverlet.collector.3.0.2.nupkg
Path to dependency file: /src/CommandCenterTests/CommandCenterTests.csproj
Path to vulnerable library: /coverlet.collector.3.0.2.nupkg
Dependency Hierarchy:
Targets files to enable the Visual Studio Tools for Containers.
Library home page: https://api.nuget.org/packages/microsoft.visualstudio.azure.containers.tools.targets.1.10.8.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.visualstudio.azure.containers.tools.targets/1.10.8/microsoft.visualstudio.azure.containers.tools.targets.1.10.8.nupkg,/zure.containers.tools.targets/1.10.8/microsoft.visualstudio.azure.containers.tools.targets.1.10.8.nupkg
Dependency Hierarchy:
Json.NET is a popular high-performance JSON framework for .NET
Library home page: https://api.nuget.org/packages/newtonsoft.json.12.0.2.nupkg
Path to dependency file: /src/CommandCenter/CommandCenter.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/newtonsoft.json/12.0.2/newtonsoft.json.12.0.2.nupkg
Dependency Hierarchy:
Found in base branch: main
Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.
Publish Date: 2024-01-03
URL: CVE-2024-21907
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5crp-9r3c-p9vr
Release Date: 2024-01-03
Fix Resolution: Newtonsoft.Json - 13.0.1
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to vulnerable library: /src/CommandCenter/wwwroot/lib/jquery/dist/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: b363cbedbe66b77c2fdc0201b10a4714fabf1499
Found in base branch: main
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.