Git Product home page Git Product logo

neat-starter's Introduction

Welcome to GitHub Pages

You can use the editor on GitHub to maintain and preview the content for your website in Markdown files.

Whenever you commit to this repository, GitHub Pages will run Jekyll to rebuild the pages in your site, from the content in your Markdown files.

Markdown

Markdown is a lightweight and easy-to-use syntax for styling your writing. It includes conventions for

Syntax highlighted code block

# Header 1
## Header 2
### Header 3

- Bulleted
- List

1. Numbered
2. List

**Bold** and _Italic_ and `Code` text

[Link](url) and ![Image](src)

For more details see GitHub Flavored Markdown.

Jekyll Themes

Your Pages site will use the layout and styles from the Jekyll theme you have selected in your repository settings. The name of this theme is saved in the Jekyll _config.yml configuration file.

Support or Contact

Having trouble with Pages? Check out our documentation or contact support and we’ll help you sort it out.

neat-starter's People

Contributors

depfu[bot] avatar faizulho avatar mend-bolt-for-github[bot] avatar renovate-bot avatar surjithctly avatar

Watchers

avatar avatar

neat-starter's Issues

CVE-2023-45857 (Medium) detected in axios-0.21.4.tgz

CVE-2023-45857 - Medium Severity Vulnerability

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • localtunnel-2.0.2.tgz
        • axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution (axios): 1.6.0

Direct dependency fix Resolution (@11ty/eleventy): 2.0.0-canary.1

Step up your Open Source Security Game with Mend here

CVE-2021-21353 (Critical) detected in pug-2.0.4.tgz

CVE-2021-21353 - Critical Severity Vulnerability

Vulnerable Library - pug-2.0.4.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • pug-2.0.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Publish Date: 2021-03-03

URL: CVE-2021-21353

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p493-635q-r6gr

Release Date: 2021-03-03

Fix Resolution (pug): 3.0.0-canary-1

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-2251 (High) detected in yaml-1.10.2.tgz - autoclosed

CVE-2023-2251 - High Severity Vulnerability

Vulnerable Library - yaml-1.10.2.tgz

JavaScript parser and stringifier for YAML

Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yaml/package.json

Dependency Hierarchy:

  • postcss-cli-9.0.0.tgz (Root Library)
    • postcss-load-config-3.1.0.tgz
      • yaml-1.10.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.

Publish Date: 2023-04-24

URL: CVE-2023-2251

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9xv-q969-pqx4

Release Date: 2023-04-24

Fix Resolution (yaml): 2.0.0-0

Direct dependency fix Resolution (postcss-cli): 10.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-2142 (Medium) detected in nunjucks-3.2.3.tgz

CVE-2023-2142 - Medium Severity Vulnerability

Vulnerable Library - nunjucks-3.2.3.tgz

A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)

Library home page: https://registry.npmjs.org/nunjucks/-/nunjucks-3.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nunjucks/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • nunjucks-3.2.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Nunjucks is vulnerable to autoescape bypass that may lead to cross site scripting (XSS). It was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character. The issue was patched in version 3.2.4.

Publish Date: 2023-04-18

URL: CVE-2023-2142

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x77j-w7wf-fjmw

Release Date: 2023-04-18

Fix Resolution (nunjucks): 3.2.4

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Step up your Open Source Security Game with Mend here

CVE-2022-21670 (Medium) detected in markdown-it-10.0.0.tgz

CVE-2022-21670 - Medium Severity Vulnerability

Vulnerable Library - markdown-it-10.0.0.tgz

Markdown-it - modern pluggable markdown parser.

Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-10.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/markdown-it/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • markdown-it-10.0.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.

Publish Date: 2022-01-10

URL: CVE-2022-21670

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vfc-qv3f-vr6c

Release Date: 2022-01-10

Fix Resolution (markdown-it): 12.3.2

Direct dependency fix Resolution (@11ty/eleventy): 1.0.0-canary.1

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.toarray:4.4.0

Vulnerabilities

DepShield reports that this application's usage of lodash.toarray:4.4.0 results in the following vulnerability(s):

Occurrences

lodash.toarray:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

tailwindcss:1.9.3
        └─ node-emoji:1.10.0
              └─ lodash.toarray:4.4.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2023-22467 (High) detected in luxon-1.28.0.tgz

CVE-2023-22467 - High Severity Vulnerability

Vulnerable Library - luxon-1.28.0.tgz

Immutable date wrapper

Library home page: https://registry.npmjs.org/luxon/-/luxon-1.28.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/luxon/package.json

Dependency Hierarchy:

  • luxon-1.28.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

Publish Date: 2023-01-04

URL: CVE-2023-22467

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3xq5-wjfh-ppjc

Release Date: 2023-01-04

Fix Resolution: 1.28.1

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of acorn:4.0.13

Vulnerabilities

DepShield reports that this application's usage of acorn:4.0.13 results in the following vulnerability(s):

Occurrences

acorn:4.0.13 is a transitive dependency introduced by the following direct dependency(s):

@11ty/eleventy:0.11.0
        └─ pug:2.0.4
              └─ pug-code-gen:2.0.2
                    └─ with:5.1.1
                          └─ acorn-globals:3.1.0
                                └─ acorn:4.0.13
              └─ pug-lexer:4.1.0
                    └─ is-expression:3.0.0
                          └─ acorn:4.0.13

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-29078 (Critical) detected in ejs-2.7.4.tgz

CVE-2022-29078 - Critical Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • ejs-2.7.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution (ejs): 3.1.7

Direct dependency fix Resolution (@11ty/eleventy): 1.0.0-canary.1

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Warning

These dependencies are deprecated:

Datasource Name Replacement PR?
npm npm-run-all Available

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • chore(deps): replace dependency npm-run-all with npm-run-all2 5.0.0
  • chore(deps): update dependency postcss-cli to v11
  • chore(deps): update dependency tailwindcss to v3
  • 🔐 Create all rate-limited PRs at once 🔐

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/azure-static-web-apps-ashy-ocean-047140000.yml
  • actions/checkout v2
  • Azure/static-web-apps-deploy v1
  • Azure/static-web-apps-deploy v1
npm
package.json
  • @11ty/eleventy 0.12.1
  • @11ty/eleventy-plugin-syntaxhighlight 3.1.2
  • @tailwindcss/typography 0.4.1
  • alpinejs 2.8.2
  • cross-env 7.0.3
  • js-yaml 4.1.0
  • luxon 1.28.0
  • npm-run-all 4.1.5
  • postcss-clean 1.2.2
  • postcss-cli 9.0.0
  • prismjs 1.25.0
  • tailwindcss 2.2.15
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2022-1214 (High) detected in axios-0.21.4.tgz - autoclosed

CVE-2022-1214 - High Severity Vulnerability

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • localtunnel-2.0.2.tgz
        • axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Publish Date: 2022-05-03

URL: CVE-2022-1214

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/

Release Date: 2022-05-03

Fix Resolution (axios): 0.26.0

Direct dependency fix Resolution (@11ty/eleventy): 2.0.0-canary.1

Step up your Open Source Security Game with WhiteSource here

CVE-2022-25948 (Medium) detected in liquidjs-6.4.3.tgz

CVE-2022-25948 - Medium Severity Vulnerability

Vulnerable Library - liquidjs-6.4.3.tgz

Liquid template engine by pure JavaScript: compatible to shopify, easy to extend.

Library home page: https://registry.npmjs.org/liquidjs/-/liquidjs-6.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/liquidjs/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • liquidjs-6.4.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.

Publish Date: 2022-12-22

URL: CVE-2022-25948

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-25948

Release Date: 2022-12-22

Fix Resolution (liquidjs): 10.0.0

Direct dependency fix Resolution (@11ty/eleventy): 2.0.0-canary.19

Step up your Open Source Security Game with Mend here

CVE-2023-32695 (High) detected in socket.io-parser-3.4.1.tgz

CVE-2023-32695 - High Severity Vulnerability

Vulnerable Library - socket.io-parser-3.4.1.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/socket.io/node_modules/socket.io-parser/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • socket.io-2.4.0.tgz
        • socket.io-parser-3.4.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.

Publish Date: 2023-05-27

URL: CVE-2023-32695

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cqmj-92xf-r6r9

Release Date: 2023-05-27

Fix Resolution (socket.io-parser): 3.4.3

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Step up your Open Source Security Game with Mend here

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz - autoclosed

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • chokidar-3.5.2.tgz
      • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-43138 (High) detected in async-1.5.2.tgz - autoclosed

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Library - async-1.5.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • portscanner-2.1.1.tgz
        • async-1.5.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (@11ty/eleventy): 2.0.0-canary.1

Step up your Open Source Security Game with Mend here

CVE-2023-29827 (Medium) detected in ejs-2.7.4.tgz - autoclosed

CVE-2023-29827 - Medium Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.

Publish Date: 2023-05-04

URL: CVE-2023-29827

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2020-36048 (High) detected in engine.io-3.5.0.tgz

CVE-2020-36048 - High Severity Vulnerability

Vulnerable Library - engine.io-3.5.0.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/engine.io/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • socket.io-2.4.0.tgz
        • engine.io-3.5.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-08

URL: CVE-2020-36048

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-08

Fix Resolution (engine.io): 3.6.0

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Step up your Open Source Security Game with Mend here

CVE-2022-24999 (High) detected in qs-6.2.3.tgz

CVE-2022-24999 - High Severity Vulnerability

Vulnerable Library - qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • qs-6.2.3.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.2.4

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Step up your Open Source Security Game with Mend here

WS-2021-0153 (Critical) detected in ejs-2.7.4.tgz

WS-2021-0153 - Critical Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution (ejs): 3.1.6

Direct dependency fix Resolution (@11ty/eleventy): 1.0.0-canary.1

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.sortby:4.7.0

Vulnerabilities

DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):

Occurrences

lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

@11ty/eleventy-plugin-syntaxhighlight:3.0.4
        └─ jsdom:16.4.0
              └─ whatwg-url:8.4.0
                    └─ lodash.sortby:4.7.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of debug:2.6.9

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

@11ty/eleventy:0.11.0
        └─ browser-sync:2.26.12
              └─ connect:3.6.6
                    └─ debug:2.6.9
                    └─ finalhandler:1.1.0
                          └─ debug:2.6.9
              └─ resp-modifier:6.0.2
                    └─ debug:2.6.9
              └─ send:0.16.2
                    └─ debug:2.6.9
              └─ serve-index:1.9.1
                    └─ debug:2.6.9

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of acorn:3.3.0

Vulnerabilities

DepShield reports that this application's usage of acorn:3.3.0 results in the following vulnerability(s):

Occurrences

acorn:3.3.0 is a transitive dependency introduced by the following direct dependency(s):

@11ty/eleventy:0.11.0
        └─ pug:2.0.4
              └─ pug-code-gen:2.0.2
                    └─ with:5.1.1
                          └─ acorn:3.3.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • npm-run-all-4.1.5.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:3.2.2

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

@11ty/eleventy:0.11.0
        └─ pretty:2.0.0
              └─ condense-newlines:0.2.1
                    └─ kind-of:3.2.2
        └─ pug:2.0.4
              └─ pug-filters:3.1.1
                    └─ uglify-js:2.8.29
                          └─ yargs:3.10.0
                                └─ cliui:2.1.0
                                      └─ center-align:0.1.3
                                            └─ align-text:0.1.4
                                                  └─ kind-of:3.2.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.isfinite:3.3.2

Vulnerabilities

DepShield reports that this application's usage of lodash.isfinite:3.3.2 results in the following vulnerability(s):

Occurrences

lodash.isfinite:3.3.2 is a transitive dependency introduced by the following direct dependency(s):

@11ty/eleventy:0.11.0
        └─ browser-sync:2.26.12
              └─ portscanner:2.1.1
                    └─ is-number-like:1.0.8
                          └─ lodash.isfinite:3.3.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-23382 (High) detected in postcss-6.0.23.tgz, postcss-7.0.32.tgz

CVE-2021-23382 - High Severity Vulnerability

Vulnerable Libraries - postcss-6.0.23.tgz, postcss-7.0.32.tgz

postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Dependency Hierarchy:

  • postcss-clean-1.2.2.tgz (Root Library)
    • postcss-6.0.23.tgz (Vulnerable Library)
postcss-7.0.32.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/purgecss/node_modules/postcss/package.json,/node_modules/@fullhuman/postcss-purgecss/node_modules/postcss/package.json

Dependency Hierarchy:

  • tailwindcss-1.9.6.tgz (Root Library)
    • postcss-purgecss-2.3.0.tgz
      • postcss-7.0.32.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (tailwindcss): 2.1.2-internal.1

Step up your Open Source Security Game with Mend here

CVE-2021-3807 (High) detected in ansi-regex-2.1.1.tgz - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Library - ansi-regex-2.1.1.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz

Path to dependency file: neat-starter/package.json

Path to vulnerable library: neat-starter/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • eazy-logger-3.1.0.tgz
        • tfunk-4.0.0.tgz
          • chalk-1.1.3.tgz
            • has-ansi-2.0.0.tgz
              • ansi-regex-2.1.1.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2022-2421 (Critical) detected in socket.io-parser-3.4.1.tgz, socket.io-parser-3.3.2.tgz

CVE-2022-2421 - Critical Severity Vulnerability

Vulnerable Libraries - socket.io-parser-3.4.1.tgz, socket.io-parser-3.3.2.tgz

socket.io-parser-3.4.1.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/socket.io/node_modules/socket.io-parser/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • socket.io-2.4.0.tgz
        • socket.io-parser-3.4.1.tgz (Vulnerable Library)
socket.io-parser-3.3.2.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/socket.io-parser/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • browser-sync-ui-2.27.5.tgz
        • socket.io-client-2.4.0.tgz
          • socket.io-parser-3.3.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

Publish Date: 2022-10-26

URL: CVE-2022-2421

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qm95-pgcg-qqfq

Release Date: 2022-10-26

Fix Resolution (socket.io-parser): 3.4.2

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Fix Resolution (socket.io-parser): 3.4.2

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of http-proxy:1.18.1

Vulnerabilities

DepShield reports that this application's usage of http-proxy:1.18.1 results in the following vulnerability(s):

Occurrences

http-proxy:1.18.1 is a transitive dependency introduced by the following direct dependency(s):

@11ty/eleventy:0.11.0
        └─ browser-sync:2.26.12
              └─ http-proxy:1.18.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-23368 (Medium) detected in postcss-7.0.32.tgz

CVE-2021-23368 - Medium Severity Vulnerability

Vulnerable Library - postcss-7.0.32.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/purgecss/node_modules/postcss/package.json,/node_modules/@fullhuman/postcss-purgecss/node_modules/postcss/package.json

Dependency Hierarchy:

  • tailwindcss-1.9.6.tgz (Root Library)
    • postcss-purgecss-2.3.0.tgz
      • postcss-7.0.32.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (tailwindcss): 2.1.2-internal.1

Step up your Open Source Security Game with Mend here

CVE-2021-42740 (Critical) detected in shell-quote-1.7.2.tgz

CVE-2021-42740 - Critical Severity Vulnerability

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shell-quote/package.json

Dependency Hierarchy:

  • npm-run-all-4.1.5.tgz (Root Library)
    • shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

Step up your Open Source Security Game with Mend here

CVE-2022-23647 (Medium) detected in prismjs-1.25.0.tgz

CVE-2022-23647 - Medium Severity Vulnerability

Vulnerable Library - prismjs-1.25.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/prismjs/package.json

Dependency Hierarchy:

  • prismjs-1.25.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Publish Date: 2022-02-18

URL: CVE-2022-23647

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3949-f494-cm99

Release Date: 2022-02-18

Fix Resolution: 1.27.0

Step up your Open Source Security Game with Mend here

CVE-2022-41940 (Medium) detected in engine.io-3.5.0.tgz

CVE-2022-41940 - Medium Severity Vulnerability

Vulnerable Library - engine.io-3.5.0.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/engine.io/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • browser-sync-2.27.5.tgz
      • socket.io-2.4.0.tgz
        • engine.io-3.5.0.tgz (Vulnerable Library)

Found in HEAD commit: a2ac742a75c9fdee83efa55c56fe23bed84943d5

Found in base branch: master

Vulnerability Details

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

Publish Date: 2022-11-22

URL: CVE-2022-41940

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r7qp-cfhv-p84w

Release Date: 2022-11-22

Fix Resolution (engine.io): 3.6.1

Direct dependency fix Resolution (@11ty/eleventy): 0.12.0

Step up your Open Source Security Game with Mend here

CVE-2022-37609 (High) detected in js-beautify-1.14.0.tgz - autoclosed

CVE-2022-37609 - High Severity Vulnerability

Vulnerable Library - js-beautify-1.14.0.tgz

beautifier.io for node

Library home page: https://registry.npmjs.org/js-beautify/-/js-beautify-1.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-beautify/package.json

Dependency Hierarchy:

  • eleventy-0.11.1.tgz (Root Library)
    • pretty-2.0.0.tgz
      • js-beautify-1.14.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js.

Publish Date: 2022-10-11

URL: CVE-2022-37609

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.