Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/moment/package.json
Dependency Hierarchy:
bannerify-1.0.1.tgz (Root Library)
❌ moment-2.24.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
bannerify-1.0.1.tgz (Root Library)
❌ lodash-3.10.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
bannerify-1.0.1.tgz (Root Library)
❌ lodash-3.10.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma-browserify/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
babelify-6.4.0.tgz (Root Library)
babel-core-5.8.38.tgz
❌ minimatch-2.0.10.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io-adapter/node_modules/ms/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
socket.io-1.7.4.tgz
debug-2.3.3.tgz
❌ ms-0.7.2.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/moment/package.json
Dependency Hierarchy:
bannerify-1.0.1.tgz (Root Library)
❌ moment-2.24.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: choosealicense.com/assets/vendor/clipboard/node_modules/shell-quote/package.json
Dependency Hierarchy:
browserify-11.2.0.tgz (Root Library)
❌ shell-quote-0.0.1.tgz (Vulnerable Library)
Vulnerability Details
The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/package.json
Dependency Hierarchy:
❌ mocha-2.5.3.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/diff/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
❌ diff-1.4.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: choosealicense.com/assets/vendor/clipboard/node_modules/ws/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
socket.io-1.7.4.tgz
engine.io-1.8.5.tgz
❌ ws-1.1.5.tgz (Vulnerable Library)
Vulnerability Details
Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/package.json
Dependency Hierarchy:
❌ mocha-2.5.3.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/growl/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
❌ growl-1.9.2.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Mend Note: Converted from WS-2017-0236, on 2022-11-08.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mixin-deep/package.json
Dependency Hierarchy:
watchify-3.11.1.tgz (Root Library)
anymatch-2.0.0.tgz
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
❌ mixin-deep-1.3.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
bannerify-1.0.1.tgz (Root Library)
❌ lodash-3.10.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/shell-quote/package.json
Dependency Hierarchy:
browserify-11.2.0.tgz (Root Library)
❌ shell-quote-0.0.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/json5/package.json
Dependency Hierarchy:
babelify-6.4.0.tgz (Root Library)
babel-core-5.8.38.tgz
❌ json5-0.4.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/node_modules/debug/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
socket.io-1.7.4.tgz
socket.io-parser-2.3.1.tgz
❌ debug-2.2.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/acorn/package.json
Dependency Hierarchy:
browserify-11.2.0.tgz (Root Library)
module-deps-3.9.1.tgz
detective-4.7.1.tgz
❌ acorn-5.7.3.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/log4js/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
❌ log4js-0.6.38.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/engine.io/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
socket.io-1.7.4.tgz
❌ engine.io-1.8.5.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/snapdragon-node/node_modules/kind-of/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
chokidar-1.7.0.tgz
readdirp-2.2.1.tgz
micromatch-3.1.10.tgz
❌ kind-of-6.0.2.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
socket.io-1.7.4.tgz
❌ socket.io-parser-2.3.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
bannerify-1.0.1.tgz (Root Library)
❌ lodash-3.10.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma-browserify/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
babelify-6.4.0.tgz (Root Library)
babel-core-5.8.38.tgz
❌ minimatch-2.0.10.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/set-value/package.json
Dependency Hierarchy:
watchify-3.11.1.tgz (Root Library)
anymatch-2.0.0.tgz
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/http-proxy/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
❌ http-proxy-1.17.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/set-value/package.json
Dependency Hierarchy:
watchify-3.11.1.tgz (Root Library)
anymatch-2.0.0.tgz
micromatch-3.1.10.tgz
snapdragon-0.8.2.tgz
base-0.11.2.tgz
cache-base-1.0.1.tgz
❌ set-value-2.0.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
❌ socket.io-1.7.4.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
bannerify-1.0.1.tgz (Root Library)
❌ lodash-3.10.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/node_modules/debug/package.json
Dependency Hierarchy:
karma-0.13.22.tgz (Root Library)
socket.io-1.7.4.tgz
socket.io-parser-2.3.1.tgz
❌ debug-2.2.0.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/shell-quote/package.json
Dependency Hierarchy:
browserify-11.2.0.tgz (Root Library)
❌ shell-quote-0.0.1.tgz (Vulnerable Library)
Found in base branch: gh-pages
Vulnerability Details
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.