Git Product home page Git Product logo

godseye's Introduction

Hi there πŸ‘‹

Agnellus here,

A Cyber-Security Engineer, App Developer and Student, currently in Mumbai, India

  • πŸ”­ I’m currently working on -> Pentesting | Blue-Team Stuff | Automation
  • 🌱 I’m currently learning -> Bug Bounty | CTFs | Life-Lessons
  • πŸ€” I’m looking for help with -> Automation | OpenSource
  • πŸ‘― I’m looking to collaborate on -> App Development (Java/Flutter) | Anything Security
  • πŸ’¬ Ask me about -> Security | App Development | Linux
  • πŸ“« How to reach me: -> LinkedIn | [email protected]
  • ⚑ Fun fact: Security is always excessive until it’s not enough – Robbie Sinclair

Github stats

Top Langs

godseye's People

Contributors

agnellusx1 avatar anisha1502 avatar clarice99 avatar mend-bolt-for-github[bot] avatar sancia15 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

sheshukurnool iamnishantmishra sancia15 clarice99 simrit1 ore291 the-quantum-boy anisha1502 nicolasbui abdoukhadre-searching skhuurrr musadabra catalystblinc anish0010

godseye's Issues

CVE-2018-20676 (Medium) detected in bootstrap-3.3.7.tgz - autoclosed

CVE-2018-20676 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/bootstrap/package.json

Dependency Hierarchy:

  • ❌ bootstrap-3.3.7.tgz (Vulnerable Library)

Found in HEAD commit: c933fb4a7f0e127808552b168a3b675483c2532c

Found in base branch: dev

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23343 (Medium) detected in path-parse-1.0.6.tgz

CVE-2021-23343 - Medium Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/path-parse/package.json

Dependency Hierarchy:

  • babel-eslint-10.1.0.tgz (Root Library)
    • resolve-1.20.0.tgz
      • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0235 (Medium) detected in node-fetch-2.6.1.tgz

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • tfjs-3.6.0.tgz (Root Library)
    • tfjs-core-3.6.0.tgz
      • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (@tensorflow/tfjs): 3.7.0

Step up your Open Source Security Game with Mend here

CVE-2020-28498 (Medium) detected in elliptic-6.5.3.tgz - autoclosed

CVE-2020-28498 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Dependency Hierarchy:

  • react-scripts-4.0.1.tgz (Root Library)
    • webpack-4.44.2.tgz
      • node-libs-browser-2.2.1.tgz
        • crypto-browserify-3.12.0.tgz
          • browserify-sign-4.2.1.tgz
            • ❌ elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 398e76b0c373c89d4c85f17b9a15b0d7bf379a19

Found in base branch: dev

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0512 (Medium) detected in url-parse-1.5.1.tgz

CVE-2022-0512 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.1.tgz
        • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution (url-parse): 1.5.6

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28168 (Medium) detected in axios-0.18.1.tgz - autoclosed

CVE-2020-28168 - Medium Severity Vulnerability

Vulnerable Library - axios-0.18.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/axios/package.json

Dependency Hierarchy:

  • oauth2-firebase-0.1.30.tgz (Root Library)
    • firebase-admin-5.13.1.tgz
      • firestore-0.15.4.tgz
        • common-0.20.3.tgz
          • ❌ axios-0.18.1.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: axios/axios@c7329fe

Release Date: 2020-11-06

Fix Resolution: axios - 0.21.1

Step up your Open Source Security Game with WhiteSource here

UI Interface Design

Need to Design the UI Interface for the WebApp

Each Interface must have a Single JavaScript file
Technologies that can be used:

  • HTML
  • CSS
  • Bootstrap
  • Reactjs Framework

The Interfaces Include

  • Login Screen
  • Instructions Screen
  • Dashboard

CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.8.tgz - autoclosed

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • eslint-plugin-import-2.22.1.tgz
      • read-pkg-up-2.0.0.tgz
        • read-pkg-2.0.0.tgz
          • normalize-package-data-2.5.0.tgz
            • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: c933fb4a7f0e127808552b168a3b675483c2532c

Found in base branch: main

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/npm/hosted-git-info/releases/tag/v3.0.8

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 3.0.8

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10735 (Medium) detected in bootstrap-3.3.7.tgz - autoclosed

CVE-2016-10735 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/bootstrap/package.json

Dependency Hierarchy:

  • ❌ bootstrap-3.3.7.tgz (Vulnerable Library)

Found in HEAD commit: c933fb4a7f0e127808552b168a3b675483c2532c

Found in base branch: dev

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#20184

Release Date: 2019-01-09

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz - autoclosed

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/y18n/package.json

Dependency Hierarchy:

  • react-scripts-4.0.0.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • yargs-13.3.2.tgz
        • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 920b7c625189496d9ee8a34887a18a7c4375c04a

Found in base branch: dev

Vulnerability Details

This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

Step up your Open Source Security Game with WhiteSource here

Head Pose Estimation

HeadPose Estimation using openCV.js or tensorflowjs in the client side

  • HeadPose Estimation in client side
  • HeadPose Estimation to React

CVE-2021-23364 (Medium) detected in browserslist-4.14.2.tgz

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.14.2.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.2.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/react-dev-utils/node_modules/browserslist/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • ❌ browserslist-4.14.2.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

CVE-2018-20677 (Medium) detected in bootstrap-3.3.7.tgz - autoclosed

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/bootstrap/package.json

Dependency Hierarchy:

  • ❌ bootstrap-3.3.7.tgz (Vulnerable Library)

Found in HEAD commit: c933fb4a7f0e127808552b168a3b675483c2532c

Found in base branch: dev

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with WhiteSource here

Form Code Database and Mechanism

Create a firebase Database and Develop a mechanism that can be used to assign code and Google Form Links for each exam

Admins Interface

  • UI
  • Firebase Database
  • Database Connectivity
  • Authentication

Student Interface

  • UI
  • Fetch GForm Link
  • Embed GForm

CVE-2022-0122 (Medium) detected in node-forge-0.10.0.tgz

CVE-2022-0122 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-15168 (Medium) detected in node-fetch-2.1.2.tgz - autoclosed

CVE-2020-15168 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.1.2.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.1.2.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/webgazer/node_modules/node-fetch/package.json

Dependency Hierarchy:

  • webgazer-2.0.1.tgz (Root Library)
    • tfjs-2.0.1.tgz
      • tfjs-core-2.0.1.tgz
        • ❌ node-fetch-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a4114a84200fc960eaa7f2f7a752703dc2b0d34f

Found in base branch: dev

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-07-21

Fix Resolution: 2.6.1,3.0.0-beta.9

Step up your Open Source Security Game with WhiteSource here

Post Testing Issue

  • HeadPose --- @AgnellusX1
  • Object Detection Re-Implementation --- @AgnellusX1
  • Exit Exam Window Compulsion
  • Fix/Hide System Warnings --- @sancia15
  • Shortcut Keys Missing
  • GForm Security Issues --- @AgnellusX1
  • Negative Timer Issues --- @clarice99
  • Blocking Camera Bug --- @clarice99
  • System Check (2 times Click to Activate) Bug --- @sancia15
  • Enable Full Screen Detection, right after App goes Full Screen
  • Multiple Face Bug (Fix/ Disable Feature)
  • Cell Phone Detection Bug(False-Positive)
  • "Using a Development Build of Firebase JS SDK" Bug

CVE-2021-23566 (Medium) detected in nanoid-3.1.23.tgz

CVE-2021-23566 - Medium Severity Vulnerability

Vulnerable Library - nanoid-3.1.23.tgz

A tiny (108 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nanoid/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • postcss-safe-parser-5.0.2.tgz
      • postcss-8.2.15.tgz
        • ❌ nanoid-3.1.23.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-14

Fix Resolution (nanoid): 3.1.31

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz - autoclosed

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/webpack/node_modules/ssri/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • terser-webpack-plugin-1.4.5.tgz
        • cacache-12.0.4.tgz
          • ❌ ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: eb4fbce2deeb9f2c470e366dd265e6c95a112e62

Found in base branch: main

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

Release Date: 2021-03-12

Fix Resolution: ssri - 6.0.2,8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-24033 (Medium) detected in react-dev-utils-11.0.3.tgz - autoclosed

CVE-2021-24033 - Medium Severity Vulnerability

Vulnerable Library - react-dev-utils-11.0.3.tgz

webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-11.0.3.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/react-dev-utils/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • ❌ react-dev-utils-11.0.3.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Publish Date: 2021-03-09

URL: CVE-2021-24033

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.facebook.com/security/advisories/cve-2021-24033

Release Date: 2021-03-09

Fix Resolution: react-dev-utils-11.0.4

Step up your Open Source Security Game with WhiteSource here

CVE-2021-28092 (High) detected in is-svg-3.0.0.tgz - autoclosed

CVE-2021-28092 - High Severity Vulnerability

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/is-svg/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • optimize-css-assets-webpack-plugin-5.0.4.tgz
      • cssnano-4.1.10.tgz
        • cssnano-preset-default-4.0.7.tgz
          • postcss-svgo-4.0.2.tgz
            • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: eb4fbce2deeb9f2c470e366dd265e6c95a112e62

Found in base branch: dev

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

Step up your Open Source Security Game with WhiteSource here

WS-2022-0007 (Medium) detected in node-forge-0.10.0.tgz - autoclosed

WS-2022-0007 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

In node-forge before 1.0.0 he regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.

Publish Date: 2022-01-08

URL: WS-2022-0007

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7720 (High) detected in node-forge-0.8.5.tgz, node-forge-0.7.4.tgz - autoclosed

CVE-2020-7720 - High Severity Vulnerability

Vulnerable Libraries - node-forge-0.8.5.tgz, node-forge-0.7.4.tgz

node-forge-0.8.5.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/google-p12-pem/node_modules/node-forge/package.json

Dependency Hierarchy:

  • oauth2-firebase-0.1.30.tgz (Root Library)
    • firebase-admin-5.13.1.tgz
      • firestore-0.15.4.tgz
        • common-0.20.3.tgz
          • google-auth-library-1.6.1.tgz
            • gtoken-2.3.3.tgz
              • google-p12-pem-1.0.4.tgz
                • ❌ node-forge-0.8.5.tgz (Vulnerable Library)
node-forge-0.7.4.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.4.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/node-forge/package.json

Dependency Hierarchy:

  • oauth2-firebase-0.1.30.tgz (Root Library)
    • firebase-admin-5.13.1.tgz
      • ❌ node-forge-0.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-13

Fix Resolution: node-forge - 0.10.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,/node_modules/webpack-dev-server/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • watchpack-1.7.5.tgz
        • watchpack-chokidar2-2.0.1.tgz
          • chokidar-2.1.8.tgz
            • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

System Check

Before the Test begins, the WebApp cheeks the users system for Compatibility and Support.
If all the Requirements are fulfilled, only then the user is granted access to the Rest of the App

Checks Include

  • Browser Version and Support
  • Webcam Detection and Permission Check
  • Network Speed
  • Screen Share

Results Page Rework

  • Create a Drop Down that will show all the Exam Codes
  • OnClicking the Selected Drop Option, only Students of that Exam should be loaded and shown

Audio Analysis

Audio Analysis using tensorflow or tensorflowjs in the client side

  • Audio Analysis in client side
  • Linking Audio Analysis to React

Admin Login

Teachers should be able to register and Login using the Emails | Use Firebase Authentication

  • Login
  • Register
  • Signout
  • Maintain a Profile and show the User the name they used while they registered, when they have successfully logged into the system

Object Detection

Object Detection using tensorflow or tensorflowjs in the client side

  • Object Detection and Analysis in client side
  • Linking Object Detection to React

CVE-2018-14040 (Medium) detected in bootstrap-3.3.7.tgz - autoclosed

CVE-2018-14040 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/bootstrap/package.json

Dependency Hierarchy:

  • ❌ bootstrap-3.3.7.tgz (Vulnerable Library)

Found in HEAD commit: c933fb4a7f0e127808552b168a3b675483c2532c

Found in base branch: dev

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7789 (Medium) detected in node-notifier-8.0.0.tgz - autoclosed

CVE-2020-7789 - Medium Severity Vulnerability

Vulnerable Library - node-notifier-8.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.0.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/node-notifier/package.json

Dependency Hierarchy:

  • react-scripts-4.0.1.tgz (Root Library)
    • jest-26.6.0.tgz
      • core-26.6.3.tgz
        • reporters-26.6.2.tgz
          • ❌ node-notifier-8.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 0fe1c18197ac67a755b6fe3880dea36b60bd0e21

Found in base branch: dev

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Step up your Open Source Security Game with WhiteSource here

WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz

WS-2022-0008 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.11.tgz
        • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-0691 (Critical) detected in url-parse-1.5.1.tgz

CVE-2022-0691 - Critical Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.1.tgz
        • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-14042 (Medium) detected in bootstrap-3.3.7.tgz - autoclosed

CVE-2018-14042 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/bootstrap/package.json

Dependency Hierarchy:

  • ❌ bootstrap-3.3.7.tgz (Vulnerable Library)

Found in HEAD commit: c933fb4a7f0e127808552b168a3b675483c2532c

Found in base branch: dev

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with WhiteSource here

Submit Google form on Timeout and Move to the Finish page + Sign-out

Once the timer runs out, show an alert to the user and submit the google form and at the same time take the user to the thankyou page also signing him out from the app

Steps:

  • Show alert on Timeout
  • Submit the Google form on timeout, without user interaction
  • Move user to the next page (Thankyou page)
  • Sign out the user from the app

Secured Browser Features

Features to Secured the Examination Platform and Preventing Students from performing any malpractices on the platform

  • Full Screen
  • Disable Right Click
  • Allow only SFIT Accounts to login
  • Disable Copy / Paste Shortcuts
  • Detect opening New Tab
  • Prevent Opening a New Tab
  • Prevent Page access without Login
  • Detect use of other app apart from the Browser

CVE-2020-7765 (Medium) detected in util-0.2.14.tgz - autoclosed

CVE-2020-7765 - Medium Severity Vulnerability

Vulnerable Library - util-0.2.14.tgz

_NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package_

Library home page: https://registry.npmjs.org/@firebase/util/-/util-0.2.14.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/firebase-admin/node_modules/@firebase/util/package.json

Dependency Hierarchy:

  • oauth2-firebase-0.1.30.tgz (Root Library)
    • firebase-admin-5.13.1.tgz
      • app-0.3.17.tgz
        • ❌ util-0.2.14.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Publish Date: 2020-11-16

URL: CVE-2020-7765

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: firebase/firebase-js-sdk#4001

Release Date: 2020-11-16

Fix Resolution: 0.3.4

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3664 (Medium) detected in url-parse-1.5.1.tgz

CVE-2021-3664 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.1.tgz
        • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

url-parse is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2021-07-26

URL: CVE-2021-3664

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664

Release Date: 2021-07-26

Fix Resolution (url-parse): 1.5.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23382 (Medium) detected in postcss-7.0.21.tgz, postcss-7.0.35.tgz

CVE-2021-23382 - Medium Severity Vulnerability

Vulnerable Libraries - postcss-7.0.21.tgz, postcss-7.0.35.tgz

postcss-7.0.21.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/resolve-url-loader/node_modules/postcss/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • resolve-url-loader-3.1.3.tgz
      • ❌ postcss-7.0.21.tgz (Vulnerable Library)
postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/postcss/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • css-loader-4.3.0.tgz
      • ❌ postcss-7.0.35.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Step up your Open Source Security Game with WhiteSource here

Face Detection

Face Detection using tensorflow or tensorflowjs in the client side

  • Face Detection in client side
  • Linking face detection to React

CVE-2022-0686 (Critical) detected in url-parse-1.5.1.tgz

CVE-2022-0686 - Critical Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.1.tgz
        • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28477 (High) detected in immer-7.0.9.tgz - autoclosed

CVE-2020-28477 - High Severity Vulnerability

Vulnerable Library - immer-7.0.9.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-7.0.9.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-4.0.1.tgz (Root Library)
    • react-dev-utils-11.0.1.tgz
      • ❌ immer-7.0.9.tgz (Vulnerable Library)

Found in HEAD commit: a4114a84200fc960eaa7f2f7a752703dc2b0d34f

Found in base branch: dev

Vulnerability Details

This affects all versions of package immer.

Publish Date: 2021-01-19

URL: CVE-2020-28477

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/immerjs/immer/releases/tag/v8.0.1

Release Date: 2021-01-19

Fix Resolution: v8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-15256 (High) detected in object-path-0.11.4.tgz - autoclosed

CVE-2020-15256 - High Severity Vulnerability

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/object-path/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • resolve-url-loader-3.1.1.tgz
      • adjust-sourcemap-loader-2.0.0.tgz
        • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 52a57d33f29b01bef110bf4bcd06ce5907c9fede

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-07-21

Fix Resolution: 0.11.5

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23368 (Medium) detected in postcss-7.0.21.tgz, postcss-7.0.35.tgz

CVE-2021-23368 - Medium Severity Vulnerability

Vulnerable Libraries - postcss-7.0.21.tgz, postcss-7.0.35.tgz

postcss-7.0.21.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/resolve-url-loader/node_modules/postcss/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • resolve-url-loader-3.1.3.tgz
      • ❌ postcss-7.0.21.tgz (Vulnerable Library)
postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: GodsEye/package.json

Path to vulnerable library: GodsEye/node_modules/postcss/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • css-loader-4.3.0.tgz
      • ❌ postcss-7.0.35.tgz (Vulnerable Library)

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution: postcss -8.2.10

Step up your Open Source Security Game with WhiteSource here

CVE-2019-8331 (Medium) detected in bootstrap-3.3.7.tgz - autoclosed

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.7.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz

Path to dependency file: GodsEye/gods-eye/package.json

Path to vulnerable library: GodsEye/gods-eye/node_modules/bootstrap/package.json

Dependency Hierarchy:

  • ❌ bootstrap-3.3.7.tgz (Vulnerable Library)

Found in HEAD commit: c933fb4a7f0e127808552b168a3b675483c2532c

Found in base branch: dev

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with WhiteSource here

Student Image Capture

Validate the user in order to make sure that the camera is set up Correctly and the User is a Valid User

  • UI
  • Camera Placement Check
  • Capture the Image
  • Change the Image format
  • Upload the Image to the Firebase Storage

CVE-2020-1971 (Medium) detected in boringssl85c2cd8a458dc62fb7e9a540d94d21d1bb39c86a - autoclosed

CVE-2020-1971 - Medium Severity Vulnerability

Vulnerable Library - boringssl85c2cd8a458dc62fb7e9a540d94d21d1bb39c86a

Mirror of BoringSSL

Library home page: https://github.com/google/boringssl.git

Found in HEAD commit: 791b9c46e4ab01360326f8f69e9cb194d26c673d

Found in base branch: PreProduction

Vulnerable Source Files (1)

GodsEye/node_modules/grpc/deps/grpc/third_party/boringssl/crypto/x509v3/v3_genn.c

Vulnerability Details

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

Publish Date: 2020-12-08

URL: CVE-2020-1971

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971

Release Date: 2020-12-08

Fix Resolution: 1.0.2x,1.1.1i

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0639 (Medium) detected in url-parse-1.5.1.tgz

CVE-2022-0639 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.1.tgz
        • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: PreProduction

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

Publish Date: 2022-02-17

URL: CVE-2022-0639

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639

Release Date: 2022-02-17

Fix Resolution (url-parse): 1.5.7

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.