A React application for tracking the 700 achievements in the Halo: Master Chief Collection
Home Page: https://www.michaelmickelson.com/HaloCollectibles/
License: GNU General Public License v3.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - elliptic-6.5.3.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution: v6.5.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - ws-6.2.1.tgz, ws-5.2.2.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/webpack-dev-server/node_modules/ws/package.json,HaloCollectibles/halo-collectibles/node_modules/jest-environment-jsdom-fourteen/node_modules/ws/package.json
Dependency Hierarchy:
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: 1fcce2e18f257d14a22ef90cb09903ad1f8044e1
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - serialize-javascript-2.1.2.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Currently the README is an artifact of the initial site that was configured to be a set of markdown files, but was later abandoned in favor of a react application
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Up until now I have been manually deploying the application by running npm run deploy, but this should be an automated GitHub Action instead
Vulnerable Library - sockjs-0.3.19.tgzSockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: sockjs/sockjs-node#265
Release Date: 2020-07-09
Fix Resolution: sockjs - 0.3.20
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - is-svg-3.0.0.tgzCheck if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution: v4.2.2
Step up your Open Source Security Game with WhiteSource here
Some achievements are not categorized into any specific game. Those should be moved into a new page for tracking.
This could optionally be the home page, but I feel that may be less obvious to users where those achievements are kept. Most likely should be a new nav item, preferably as the first item after the Logo/Brand
Vulnerable Library - yargs-parser-11.1.1.tgzthe mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: yargs/yargs-parser@63810ca
Release Date: 2020-06-05
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-28
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - ssri-7.1.0.tgz, ssri-6.0.1.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-7.1.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/ssri/package.json
Dependency Hierarchy:
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/webpack/node_modules/ssri/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
Release Date: 2021-03-12
Fix Resolution: ssri - 6.0.2,8.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-4.17.19.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - hosted-git-info-2.8.8.tgzProvides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - merge-deep-3.0.2.tgzRecursively merge values in a javascript object.
Library home page: https://registry.npmjs.org/merge-deep/-/merge-deep-3.0.2.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/merge-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
A flaw was found in merge-deep before 3.0.3. A prototype pollution issue of Object.prototype via a constructor payload may lead to denial of service and other consequences.
Publish Date: 2021-02-05
URL: CVE-2021-26707
CVSS 3 Score Details (6.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1922259
Release Date: 2021-02-05
Fix Resolution: 3.0.3
Step up your Open Source Security Game with WhiteSource here
Halo: CE achievements list. The proper title should be "Dear Diary"
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution: 1.5.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - color-string-1.5.3.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: 1716455536bff84f56f344b5c146b37501afacd6
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/Qix-/color-string/releases/tag/1.5.5
Release Date: 2021-03-12
Fix Resolution: color-string - 1.5.5
Step up your Open Source Security Game with WhiteSource here
While not yet released on PC, we should still prepare for the release by adding a section for Odst
Vulnerable Libraries - browserslist-4.13.0.tgz, browserslist-4.10.0.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.13.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/browserslist/package.json
Dependency Hierarchy:
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.10.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/react-dev-utils/node_modules/browserslist/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - ini-1.3.5.tgzAn ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/ini/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/postcss-normalize-url/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 1fcce2e18f257d14a22ef90cb09903ad1f8044e1
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Step up your Open Source Security Game with WhiteSource here
I'm interested in tracking other Halo games in the same way that you've done here. Is there any easy way to adjust the code to have it include other game ids?
Vulnerable Library - lodash-4.17.19.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
The achievement name should be "Skulltaker Halo: CE: Bandana" (remove the "Skull")
We want the users to be able to see where to locate the skulls in the game. This gives an opportunity to learn several cool things, but the steps will be roughly as follows
Collectibles component that lists a series of collectibles, their locations, and provides a link to a video/picture of where and how to get the skullcollectibles.json, to track the Halo: CE skull locations. This one is a lot simpler since there are only ~10 skulls, so it'll be much less tedious and we can forgo the categories altogetherI'll give you all the flexibility you want here, you're welcome to design the layout and JSON however you think is best, and if you have any questions or want less creative freedom feel free to send me a message or leave a comment here.
Couple other notes:
Collectibles component reusable. We should be able to use it for Skulls, Terminals, Datapads, and whatever else is added to the games that could be considered collectibles. Reusability of components is a key feature of React Vulnerable Library - node-forge-0.9.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md
Release Date: 2020-09-04
Fix Resolution: node-forge - 0.10.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - y18n-4.0.0.tgzthe bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Step up your Open Source Security Game with WhiteSource here
The ODST Achievements are currently the achievements for the base game of ODST (as if you bought it ala carte on Xbox 360), but instead needs to be the Halo: Master Chief Collection achievements.
Vulnerable Library - react-dev-utils-10.2.1.tgzwebpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-10.2.1.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/react-dev-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Publish Date: 2021-03-09
URL: CVE-2021-24033
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.facebook.com/security/advisories/cve-2021-24033
Release Date: 2021-03-09
Fix Resolution: react-dev-utils-11.0.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - node-notifier-5.4.3.tgzA Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/node-notifier/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789
Release Date: 2020-12-11
Fix Resolution: 9.0.0
Step up your Open Source Security Game with WhiteSource here
Some achievements, particularly those that are difficult or involve East Eggs, may benefit from having a link to YouTube or TrueAchievements/XboxAchievements to help the user quickly find a guide to obtaining the achievement.
Several links have already been added for Halo: CE JSON as an example of the expected format. The AchievementCard would then need to have a link added if the achievement has a link
Vulnerable Library - immer-1.10.0.tgzCreate your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
This affects all versions of package immer.
Publish Date: 2021-01-19
URL: CVE-2020-28477
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/immerjs/immer/releases/tag/v8.0.1
Release Date: 2021-01-19
Fix Resolution: v8.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/fast-glob/node_modules/glob-parent/package.json,HaloCollectibles/halo-collectibles/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,HaloCollectibles/halo-collectibles/node_modules/webpack-dev-server/node_modules/glob-parent/package.json
Dependency Hierarchy:
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 1fcce2e18f257d14a22ef90cb09903ad1f8044e1
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - object-path-0.11.4.tgzAccess deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ea112eb5ecbee254de7a79c51d2615a1dd1078a
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-07-21
Fix Resolution: 0.11.5
Step up your Open Source Security Game with WhiteSource here
If you type "con" into the filter, the "Connoisseur" achievement is displayed properly. However, if you type "Con" it does not.
This is likely an issue with the .toLowerCase calls in the filter comparison, and just needs to be improved
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.