View Code? Open in Web Editor
NEW
In this project, the web service mines data from the Skyscanner Flight Search API (https://rapidapi.com/skyscanner/api/skyscanner-flight-search/) and return the desired results. The user will input the desired airports through a web form and the web service will present the 5 cheapest options in EUR currency, as well as their overall duration and the operating carriers' ID.
JavaScript 6.74%
TypeScript 63.52%
CSS 9.45%
HTML 20.30%
skyscanner-cheapest-flights's Introduction
Forgive me for not understanding what the ๐ป and ๐ข are saying.
๐ฑ Security Dilettante
โ Military Officer
โ๏ธ Currently doing cloud stuff
๐ป Looking to collaborate on AD and cloud-related projects
Stats & other boring stuff
๐ ๏ธ Contributions
Project
Project Short Description
Contribution
BloodHoundCE
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment.
Improvements in ACL/ACE Abuses Documentation
adPEAS
adPEAS is a Powershell tool to automate Active Directory enumeration.
Updated the SharpHound Ingestor to match that of BloodHoundCE
The Hacker Recipes
This project is aimed at freely providing technical guides on various hacking topics.
Various commits related to Cross-Domain/Cross-Forest/bastion Forest Attacks, DNA enumeration on AD and WebClient abuses
SecLists
SecLists is a collection of multiple types of lists used during security assessments, collected in one place.
Added a wordlist with commonly used rotated passwords on enterprise environments
AzSubEnum
AzSubEnum is a specialized subdomain enumeration tool tailored for Azure services.
Added enhanced recon capabilities related to Blob Containers that allow Anonymous Access and publicly accessible Blobs
Internal All The Things
Active Directory and Internal Pentest Cheatsheets
Updated the Network Pivoting Techniques to include instructions for ligolo-ng
skyscanner-cheapest-flights's People
Contributors
Watchers
skyscanner-cheapest-flights's Issues
CVE-2022-0639 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
sockjs-client-1.4.0.tgz
โ url-parse-1.4.7.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-27290 - High Severity Vulnerability
Vulnerable Libraries - ssri-6.0.1.tgz , ssri-8.0.0.tgz
ssri-6.0.1.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/make-fetch-happen/node_modules/ssri/package.json,/node_modules/webpack/node_modules/ssri/package.json,/node_modules/pacote/node_modules/ssri/package.json
Dependency Hierarchy:
cli-10.0.4.tgz (Root Library)
pacote-9.5.12.tgz
โ ssri-6.0.1.tgz (Vulnerable Library)
ssri-8.0.0.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-8.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ssri/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
cacache-15.0.3.tgz
โ ssri-8.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (@angular/cli): 10.0.5
Fix Resolution (ssri): 8.0.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-27515 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
sockjs-client-1.4.0.tgz
โ url-parse-1.4.7.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.
Publish Date: 2021-02-22
URL: CVE-2021-27515
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
Release Date: 2021-02-22
Fix Resolution (url-parse): 1.5.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2012-6708 - Low Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 5622792983b1d924bcb04a7a3fb2bdadba98c613
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (3.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with Mend here
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 5622792983b1d924bcb04a7a3fb2bdadba98c613
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with Mend here
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
tslint-6.1.2.tgz (Root Library)
resolve-1.17.0.tgz
โ path-parse-1.0.6.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (tslint): 6.1.3
Step up your Open Source Security Game with Mend here
CVE-2020-36049 - High Severity Vulnerability
Vulnerable Library - socket.io-parser-3.3.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io-client/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
socket.io-2.3.0.tgz
socket.io-client-2.3.0.tgz
โ socket.io-parser-3.3.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-xfhh-g9f5-x4m4
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (karma): 5.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-28481 - Medium Severity Vulnerability
Vulnerable Library - socket.io-2.3.0.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
โ socket.io-2.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.1.0
Step up your Open Source Security Game with Mend here
WS-2021-0154 - Medium Severity Vulnerability
Vulnerable Libraries - glob-parent-3.1.0.tgz , glob-parent-5.1.1.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/package.json
Path to vulnerable library: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/node_modules/webpack-dev-server/node_modules/glob-parent/package.json,Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-4.43.0.tgz
watchpack-1.7.4.tgz
watchpack-chokidar2-2.0.0.tgz
chokidar-2.1.8.tgz
โ glob-parent-3.1.0.tgz (Vulnerable Library)
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/package.json
Path to vulnerable library: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/node_modules/glob-parent/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
copy-webpack-plugin-6.0.3.tgz
โ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
CVE-2021-29059 - High Severity Vulnerability
Vulnerable Library - is-svg-3.0.0.tgz
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-svgo-4.0.2.tgz
โ is-svg-3.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-06-21
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2020-7788 - High Severity Vulnerability
Vulnerable Library - ini-1.3.5.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ini/package.json
Dependency Hierarchy:
cli-10.0.4.tgz (Root Library)
โ ini-1.3.5.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (@angular/cli): 10.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-0512 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
sockjs-client-1.4.0.tgz
โ url-parse-1.4.7.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-29060 - Medium Severity Vulnerability
Vulnerable Library - color-string-1.5.3.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-colormin-4.0.3.tgz
color-3.1.2.tgz
โ color-string-1.5.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Publish Date: 2021-06-21
URL: CVE-2021-29060
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-257v-vj4p-3w2h
Release Date: 2021-06-21
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2011-4969 - Low Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 5622792983b1d924bcb04a7a3fb2bdadba98c613
Found in base branch: master
Vulnerability Details
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
CVSS 3 Score Details (3.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Step up your Open Source Security Game with Mend here
CVE-2021-3664 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
sockjs-client-1.4.0.tgz
โ url-parse-1.4.7.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-32640 - Medium Severity Vulnerability
Vulnerable Libraries - ws-6.1.4.tgz , ws-7.3.1.tgz , ws-6.2.1.tgz
ws-6.1.4.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.1.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io-client/node_modules/ws/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
socket.io-2.3.0.tgz
socket.io-client-2.3.0.tgz
engine.io-client-3.4.3.tgz
โ ws-6.1.4.tgz (Vulnerable Library)
ws-7.3.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/node_modules/ws/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
socket.io-2.3.0.tgz
engine.io-3.4.2.tgz
โ ws-7.3.1.tgz (Vulnerable Library)
ws-6.2.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
โ ws-6.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e ). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 6.2.2
Direct dependency fix Resolution (karma): 5.1.0
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (karma): 5.1.0
Fix Resolution (ws): 6.2.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-23434 - High Severity Vulnerability
Vulnerable Library - object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
resolve-url-loader-3.1.1.tgz
adjust-sourcemap-loader-2.0.0.tgz
โ object-path-0.11.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto ' returns false if currentPath is ['proto ']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
CVSS 3 Score Details (8.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1002.0
Step up your Open Source Security Game with Mend here
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-3.1.0.tgz , glob-parent-5.1.1.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack-dev-server/node_modules/glob-parent/package.json,/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
chokidar-2.1.8.tgz
โ glob-parent-3.1.0.tgz (Vulnerable Library)
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
copy-webpack-plugin-6.0.3.tgz
โ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Step up your Open Source Security Game with Mend here
WS-2020-0443 - High Severity Vulnerability
Vulnerable Library - socket.io-2.3.0.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
โ socket.io-2.3.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.1.0
Step up your Open Source Security Game with Mend here
CVE-2021-23386 - Medium Severity Vulnerability
Vulnerable Library - dns-packet-1.3.1.tgz
An abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dns-packet/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
bonjour-3.5.0.tgz
multicast-dns-6.2.3.tgz
โ dns-packet-1.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2015-9251 - Low Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 5622792983b1d924bcb04a7a3fb2bdadba98c613
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (3.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7720 - High Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
selfsigned-1.10.7.tgz
โ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 5622792983b1d924bcb04a7a3fb2bdadba98c613
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
โ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (karma): 5.1.0
Step up your Open Source Security Game with Mend here
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
โ lodash-4.17.19.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (karma): 5.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-15256 - High Severity Vulnerability
Vulnerable Library - object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
resolve-url-loader-3.1.1.tgz
adjust-sourcemap-loader-2.0.0.tgz
โ object-path-0.11.4.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability has been found in object-path
<= 0.11.4 affecting the set()
method. The vulnerability is limited to the includeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path
and setting the option includeInheritedProps: true
, or by using the default withInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true
options or the withInheritedProps
instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1002.0
Step up your Open Source Security Game with Mend here
CVE-2022-0691 - High Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
sockjs-client-1.4.0.tgz
โ url-parse-1.4.7.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-3.1.0.tgz , glob-parent-5.1.1.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack-dev-server/node_modules/glob-parent/package.json,/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
chokidar-2.1.8.tgz
โ glob-parent-3.1.0.tgz (Vulnerable Library)
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
copy-webpack-plugin-6.0.3.tgz
โ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 14.1.0
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 14.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-7733 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
โ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (karma): 5.2.3
Step up your Open Source Security Game with Mend here
CVE-2020-28498 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-4.43.0.tgz
node-libs-browser-2.2.1.tgz
crypto-browserify-3.12.0.tgz
browserify-sign-4.2.0.tgz
โ elliptic-6.5.3.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-23368 - Medium Severity Vulnerability
Vulnerable Libraries - postcss-7.0.31.tgz , postcss-7.0.21.tgz , postcss-7.0.32.tgz
postcss-7.0.31.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.31.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
โ postcss-7.0.31.tgz (Vulnerable Library)
postcss-7.0.21.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/resolve-url-loader/node_modules/postcss/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
resolve-url-loader-3.1.1.tgz
โ postcss-7.0.21.tgz (Vulnerable Library)
postcss-7.0.32.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-modules-local-by-default/node_modules/postcss/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
css-loader-3.5.3.tgz
postcss-modules-local-by-default-3.0.3.tgz
โ postcss-7.0.32.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-31597 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
socket.io-2.3.0.tgz
socket.io-client-2.3.0.tgz
engine.io-client-3.4.3.tgz
โ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-36048 - High Severity Vulnerability
Vulnerable Library - engine.io-3.4.2.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
socket.io-2.3.0.tgz
โ engine.io-3.4.2.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7793 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
โ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: 2020-12-11
URL: CVE-2020-7793
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-11
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3805 - High Severity Vulnerability
Vulnerable Library - object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
resolve-url-loader-3.1.1.tgz
adjust-sourcemap-loader-2.0.0.tgz
โ object-path-0.11.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution: object-path - 0.11.8
Step up your Open Source Security Game with Mend here
WS-2022-0008 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
selfsigned-1.10.7.tgz
โ node-forge-0.9.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-0122 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
selfsigned-1.10.7.tgz
โ node-forge-0.9.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
WS-2021-0152 - High Severity Vulnerability
Vulnerable Library - color-string-1.5.3.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-colormin-4.0.3.tgz
color-3.1.2.tgz
โ color-string-1.5.3.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-23362 - Medium Severity Vulnerability
Vulnerable Libraries - hosted-git-info-3.0.5.tgz , hosted-git-info-2.8.8.tgz
hosted-git-info-3.0.5.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-3.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hosted-git-info/package.json
Dependency Hierarchy:
cli-10.0.4.tgz (Root Library)
npm-package-arg-8.0.1.tgz
โ hosted-git-info-3.0.5.tgz (Vulnerable Library)
hosted-git-info-2.8.8.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-package-data/node_modules/hosted-git-info/package.json,/node_modules/npm-registry-fetch/node_modules/hosted-git-info/package.json,/node_modules/pacote/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
cli-10.0.4.tgz (Root Library)
pacote-9.5.12.tgz
npm-registry-fetch-4.0.5.tgz
npm-package-arg-6.1.1.tgz
โ hosted-git-info-2.8.8.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 3.0.8
Direct dependency fix Resolution (@angular/cli): 10.0.5
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (@angular/cli): 10.0.5
Step up your Open Source Security Game with Mend here
CVE-2021-33587 - High Severity Vulnerability
Vulnerable Library - css-what-3.3.0.tgz
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-svgo-4.0.2.tgz
svgo-1.3.2.tgz
css-select-2.1.0.tgz
โ css-what-3.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1102.11
Step up your Open Source Security Game with Mend here
CVE-2022-0686 - High Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
sockjs-client-1.4.0.tgz
โ url-parse-1.4.7.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
WS-2021-0039 - Low Severity Vulnerability
Vulnerable Libraries - core-10.0.6.tgz , core-9.0.0.tgz
core-10.0.6.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-10.0.6.tgz
Path to dependency file: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/package.json
Path to vulnerable library: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/node_modules/@angular/core/package.json
Dependency Hierarchy:
โ core-10.0.6.tgz (Vulnerable Library)
core-9.0.0.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-9.0.0.tgz
Path to dependency file: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/package.json
Path to vulnerable library: Skyscanner-Cheapest-Flights/angular/Skyscanner-Cheapest-Flights/node_modules/codelyzer/node_modules/@angular/core/package.json
Dependency Hierarchy:
codelyzer-6.0.0.tgz (Root Library)
โ core-9.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
Cross-Site Scripting (XSS) vulnerability was found in @angular/core before 11.1.1. HTML doesn't specify any way to escape comment end text inside the comment.
Publish Date: 2021-01-26
URL: WS-2021-0039
CVSS 3 Score Details (3.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: High
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/angular/angular/releases/tag/11.1.1
Release Date: 2021-01-26
Fix Resolution: @angular/core - 11.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-28092 - High Severity Vulnerability
Vulnerable Library - is-svg-3.0.0.tgz
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-svgo-4.0.2.tgz
โ is-svg-3.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2021-23382 - High Severity Vulnerability
Vulnerable Libraries - postcss-7.0.31.tgz , postcss-7.0.21.tgz , postcss-7.0.32.tgz
postcss-7.0.31.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.31.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
โ postcss-7.0.31.tgz (Vulnerable Library)
postcss-7.0.21.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/resolve-url-loader/node_modules/postcss/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
resolve-url-loader-3.1.1.tgz
โ postcss-7.0.21.tgz (Vulnerable Library)
postcss-7.0.32.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-modules-local-by-default/node_modules/postcss/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
css-loader-3.5.3.tgz
postcss-modules-local-by-default-3.0.3.tgz
โ postcss-7.0.32.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2022-0437 - Medium Severity Vulnerability
Vulnerable Library - karma-5.0.9.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-5.0.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/package.json
Dependency Hierarchy:
โ karma-5.0.9.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
Publish Date: 2022-02-05
URL: CVE-2022-0437
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437
Release Date: 2022-02-05
Fix Resolution: 6.3.14
Step up your Open Source Security Game with Mend here
CVE-2021-23495 - Medium Severity Vulnerability
Vulnerable Library - karma-5.0.9.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-5.0.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/package.json
Dependency Hierarchy:
โ karma-5.0.9.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
Publish Date: 2022-02-25
URL: CVE-2021-23495
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23495
Release Date: 2022-02-25
Fix Resolution: 6.3.16
Step up your Open Source Security Game with Mend here
CVE-2021-27292 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
โ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23364 - Medium Severity Vulnerability
Vulnerable Library - browserslist-4.13.0.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
โ browserslist-4.13.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.5
Step up your Open Source Security Game with Mend here
CVE-2020-7774 - High Severity Vulnerability
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
compiler-cli-10.0.6.tgz (Root Library)
yargs-15.3.0.tgz
โ y18n-4.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (@angular/compiler-cli): 10.0.7
Step up your Open Source Security Game with Mend here
CVE-2021-33502 - High Severity Vulnerability
Vulnerable Libraries - normalize-url-1.9.1.tgz , normalize-url-3.3.0.tgz
normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mini-css-extract-plugin/node_modules/normalize-url/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
mini-css-extract-plugin-0.9.0.tgz
โ normalize-url-1.9.1.tgz (Vulnerable Library)
normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
build-angular-0.1000.4.tgz (Root Library)
cssnano-4.1.10.tgz
cssnano-preset-default-4.0.7.tgz
postcss-normalize-url-4.0.1.tgz
โ normalize-url-3.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 633aba1dfa778ebf8945f5b072cc26829944c33c
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
CVE-2020-28502 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
karma-5.0.9.tgz (Root Library)
socket.io-2.3.0.tgz
socket.io-client-2.3.0.tgz
engine.io-client-3.4.3.tgz
โ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.1.0
Step up your Open Source Security Game with Mend here