iamkishan98 / e-voting-using-blockchain Goto Github PK

View Code? Open in Web Editor NEW

2.0 1.0 0.0 17.7 MB

Decentralized online vorting application built with blockchain

Python 0.10% JavaScript 30.67% HTML 61.84% CSS 7.39%

e-voting-using-blockchain's People

Contributors

Stargazers

Watchers

e-voting-using-blockchain's Issues

CVE-2014-7191 (Medium) detected in multiple libraries

CVE-2014-7191 - Medium Severity Vulnerability

Vulnerable Libraries - qs-0.6.6.tgz, qs-0.5.1.tgz, qs-0.5.6.tgz, qs-0.1.0.tgz

qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/qs/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- request-2.27.0.tgz
  - ❌ qs-0.6.6.tgz (Vulnerable Library)

qs-0.5.1.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/qs/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- connect-2.4.6.tgz
  - ❌ qs-0.5.1.tgz (Vulnerable Library)

qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/tiny-lr/node_modules/qs/package.json,/evoting app/src/bower_components/morris.js/node_modules/tiny-lr/node_modules/qs/package.json,/evoting app/src/bower_components/morris.js/node_modules/tiny-lr/node_modules/qs/package.json,/evoting app/src/bower_components/morris.js/node_modules/tiny-lr/node_modules/qs/package.json

Dependency Hierarchy:

grunt-contrib-watch-0.5.3.tgz (Root Library)
- tiny-lr-0.0.4.tgz
  - ❌ qs-0.5.6.tgz (Vulnerable Library)

qs-0.1.0.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.1.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/q-io/node_modules/qs/package.json

Dependency Hierarchy:

grunt-gh-pages-0.9.1.tgz (Root Library)
- q-io-1.6.5.tgz
  - ❌ qs-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Publish Date: 2014-10-19

URL: CVE-2014-7191

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191

Release Date: 2014-10-19

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (bower): 1.3.10

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt): 0.4.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-gh-pages): 3.1.0

Step up your Open Source Security Game with Mend here

CVE-2017-1000427 (Low) detected in marked-0.2.10.tgz

CVE-2017-1000427 - Low Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

Publish Date: 2018-01-02

URL: CVE-2017-1000427

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427

Release Date: 2018-01-02

Fix Resolution (marked): 0.3.7

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

CVE-2017-16026 (Medium) detected in multiple libraries

CVE-2017-16026 - Medium Severity Vulnerability

Vulnerable Libraries - request-2.40.0.tgz, request-2.67.0.tgz, request-2.27.0.tgz, request-2.9.203.tgz

request-2.40.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.40.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/request/package.json

Dependency Hierarchy:

grunt-contrib-less-0.12.0.tgz (Root Library)
- less-1.7.5.tgz
  - ❌ request-2.40.0.tgz (Vulnerable Library)

request-2.67.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.67.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/phantomjs/node_modules/request/package.json,/evoting app/src/bower_components/select2/node_modules/phantomjs/node_modules/request/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- grunt-lib-phantomjs-0.7.1.tgz
  - phantomjs-1.9.20.tgz
    - ❌ request-2.67.0.tgz (Vulnerable Library)

request-2.27.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.27.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/request/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- ❌ request-2.27.0.tgz (Vulnerable Library)

request-2.9.203.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.9.203.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/loggly/node_modules/request/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- prompt-0.1.12.tgz
  - winston-0.5.11.tgz
    - loggly-0.3.11.tgz
      - ❌ request-2.9.203.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-04-26

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (grunt-contrib-less): 1.0.0

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (grunt-mocha): 1.0.0

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (bower): 1.7.5

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2016-10531 (Medium) detected in marked-0.2.10.tgz

CVE-2016-10531 - Medium Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

Publish Date: 2018-05-31

URL: CVE-2016-10531

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10531

Release Date: 2018-04-26

Fix Resolution (marked): 0.3.6

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

WS-2016-0036 (High) detected in cli-0.6.6.tgz, cli-0.4.3.tgz

WS-2016-0036 - High Severity Vulnerability

Vulnerable Libraries - cli-0.6.6.tgz, cli-0.4.3.tgz

cli-0.6.6.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/cli/package.json,/evoting app/src/bower_components/select2/node_modules/cli/package.json

Dependency Hierarchy:

grunt-contrib-jshint-0.11.3.tgz (Root Library)
- jshint-2.8.0.tgz
  - ❌ cli-0.6.6.tgz (Vulnerable Library)

cli-0.4.3.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.4.3.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/cli/package.json,/evoting app/src/bower_components/jquery-ui/node_modules/cli/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- jshint-0.9.1.tgz
  - ❌ cli-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2016-08-16

URL: WS-2016-0036

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-08-16

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (grunt-contrib-jshint): 0.12.0

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2015-1370 (Low) detected in marked-0.2.10.tgz

CVE-2015-1370 - Low Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

Publish Date: 2015-01-27

URL: CVE-2015-1370

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1370

Release Date: 2015-01-27

Fix Resolution (marked): 0.3.0

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

CVE-2018-3721 (Medium) detected in multiple libraries

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-1.3.1.tgz, lodash-1.2.1.tgz, lodash-2.2.1.tgz, lodash-1.0.2.tgz, lodash-3.10.1.tgz, lodash-3.7.0.tgz, lodash-4.6.1.tgz, lodash-0.9.2.tgz, lodash-2.4.2.tgz

lodash-1.3.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.3.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/matchkeys/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - matchkeys-0.1.3.tgz
      - ❌ lodash-1.3.1.tgz (Vulnerable Library)

lodash-1.2.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.2.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/lodash/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- inquirer-0.3.5.tgz
  - ❌ lodash-1.2.1.tgz (Vulnerable Library)

lodash-2.2.1.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.2.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/handlebars-helpers/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ lodash-2.2.1.tgz (Vulnerable Library)

lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/globule/node_modules/lodash/package.json,/evoting app/src/bower_components/morris.js/node_modules/globule/node_modules/lodash/package.json,/evoting app/src/bower_components/morris.js/node_modules/globule/node_modules/lodash/package.json,/evoting app/src/bower_components/morris.js/node_modules/globule/node_modules/lodash/package.json,/evoting app/src/bower_components/morris.js/node_modules/globule/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-contrib-watch-0.5.3.tgz (Root Library)
- gaze-0.4.3.tgz
  - globule-0.1.0.tgz
    - ❌ lodash-1.0.2.tgz (Vulnerable Library)

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Path to vulnerable library: /evoting app/src/node_modules/grunt-contrib-csslint/node_modules/lodash/package.json,/evoting app/src/node_modules/grunt-contrib-csslint/node_modules/lodash/package.json,/evoting app/src/node_modules/grunt-contrib-csslint/node_modules/lodash/package.json,/evoting app/src/node_modules/grunt-contrib-csslint/node_modules/lodash/package.json,/evoting app/src/node_modules/grunt-contrib-csslint/node_modules/lodash/package.json,/evoting app/src/node_modules/grunt-contrib-csslint/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)

lodash-3.7.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/jshint/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-contrib-jshint-0.11.3.tgz (Root Library)
- jshint-2.8.0.tgz
  - ❌ lodash-3.7.0.tgz (Vulnerable Library)

lodash-4.6.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.6.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-datepicker/package.json

Path to vulnerable library: /evoting app/src/node_modules/grunt-jscs/node_modules/lodash/package.json,/evoting app/src/node_modules/grunt-jscs/node_modules/lodash/package.json,/evoting app/src/node_modules/grunt-jscs/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-jscs-3.0.1.tgz (Root Library)
- ❌ lodash-4.6.1.tgz (Vulnerable Library)

lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/grunt/node_modules/lodash/package.json,/evoting app/src/bower_components/morris.js/node_modules/grunt/node_modules/lodash/package.json,/evoting app/src/bower_components/morris.js/node_modules/grunt/node_modules/lodash/package.json,/evoting app/src/bower_components/morris.js/node_modules/grunt/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ lodash-0.9.2.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/fs-utils/node_modules/lodash/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/fs-utils/node_modules/lodash/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/fs-utils/node_modules/lodash/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/fs-utils/node_modules/lodash/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/fs-utils/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1067

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (bower): 1.7.5

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.1

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt-mocha): 1.2.0

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt-contrib-jshint): 0.12.0

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt): 1.0.3

Step up your Open Source Security Game with Mend here

WS-2017-0266 (Low) detected in http-signature-0.10.1.tgz

WS-2017-0266 - Low Severity Vulnerability

Vulnerable Library - http-signature-0.10.1.tgz

Reference implementation of Joyent's HTTP Signature scheme.

Library home page: https://registry.npmjs.org/http-signature/-/http-signature-0.10.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/http-signature/package.json,/evoting app/src/bower_components/morris.js/node_modules/http-signature/package.json

Dependency Hierarchy:

grunt-contrib-less-0.12.0.tgz (Root Library)
- less-1.7.5.tgz
  - request-2.40.0.tgz
    - ❌ http-signature-0.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

http-signature before version 1.0.0 are vulnerable to timing attack, which may lead to information disclosure.

Publish Date: 2015-01-22

URL: WS-2017-0266

CVSS 3 Score Details (3.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2015-01-22

Fix Resolution (http-signature): 1.0.0

Direct dependency fix Resolution (grunt-contrib-less): 1.0.0

Step up your Open Source Security Game with Mend here

WS-2019-0063 (High) detected in multiple libraries

WS-2019-0063 - High Severity Vulnerability

Vulnerable Libraries - js-yaml-3.0.2.tgz, js-yaml-3.4.6.tgz, js-yaml-3.5.5.tgz, js-yaml-2.1.3.tgz, js-yaml-3.12.1.tgz, js-yaml-2.0.5.tgz, js-yaml-3.6.1.tgz

js-yaml-3.0.2.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.0.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/fs-utils/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- gray-matter-0.4.2.tgz
  - fs-utils-0.4.3.tgz
    - ❌ js-yaml-3.0.2.tgz (Vulnerable Library)

js-yaml-3.4.6.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.4.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/grunt-jscs/node_modules/js-yaml/package.json,/evoting app/src/node_modules/grunt-jscs/node_modules/js-yaml/package.json,/evoting app/src/node_modules/grunt-jscs/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-jscs-3.0.1.tgz (Root Library)
- jscs-3.0.7.tgz
  - ❌ js-yaml-3.4.6.tgz (Vulnerable Library)

js-yaml-3.5.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-1.0.3.tgz (Root Library)
- ❌ js-yaml-3.5.5.tgz (Vulnerable Library)

js-yaml-2.1.3.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.1.3.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/handlebars-helpers/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ js-yaml-2.1.3.tgz (Vulnerable Library)

js-yaml-3.12.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap/node_modules/cosmiconfig/node_modules/js-yaml/package.json

Dependency Hierarchy:

stylelint-9.6.0.tgz (Root Library)
- cosmiconfig-5.0.7.tgz
  - ❌ js-yaml-3.12.1.tgz (Vulnerable Library)

js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/js-yaml/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/js-yaml/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/js-yaml/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/svgo/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-image-1.5.2.tgz (Root Library)
- svgo-0.6.6.tgz
  - ❌ js-yaml-3.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (grunt): 1.0.4

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (stylelint): 9.7.0

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (grunt): 1.0.4

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (grunt-image): 4.1.0

Step up your Open Source Security Game with Mend here

CVE-2019-11358 (Medium) detected in multiple libraries

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-2.1.3.min.js, jquery-2.0.3.min.js, jquery-1.11.3.min.js, jquery-1.11.0.min.js, jquery-3.3.1.tgz

jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/samples/line-customTooltips.html

Path to vulnerable library: /evoting app/src/bower_components/chart.js/samples/line-customTooltips.html

Dependency Hierarchy:

❌ jquery-2.1.3.min.js (Vulnerable Library)

jquery-2.0.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.0.3/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/examples/area-as-line.html

Path to vulnerable library: /evoting app/src/bower_components/morris.js/examples/area-as-line.html

Dependency Hierarchy:

❌ jquery-2.0.3.min.js (Vulnerable Library)

jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-daterangepicker/demo.html

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-daterangepicker/demo.html

Dependency Hierarchy:

❌ jquery-1.11.3.min.js (Vulnerable Library)

jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/ckeditor/samples/old/jquery.html

Path to vulnerable library: /evoting app/src/bower_components/ckeditor/samples/old/jquery.html

Dependency Hierarchy:

❌ jquery-1.11.0.min.js (Vulnerable Library)

jquery-3.3.1.tgz

JavaScript library for DOM operations

Library home page: https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/jquery/package.json

Dependency Hierarchy:

❌ jquery-3.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

WS-2019-0027 (Medium) detected in marked-0.2.10.tgz

WS-2019-0027 - Medium Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.

Publish Date: 2018-02-26

URL: WS-2019-0027

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-26

Fix Resolution (marked): 0.3.18

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

CVE-2017-16137 (Low) detected in multiple libraries

CVE-2017-16137 - Low Severity Vulnerability

Vulnerable Libraries - debug-3.2.6.tgz, debug-4.1.1.tgz, debug-0.8.1.tgz, debug-0.7.4.tgz, debug-2.6.8.tgz, debug-2.6.7.tgz, debug-2.0.0.tgz, debug-2.2.0.tgz

debug-3.2.6.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-3.2.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap/node_modules/tiny-lr/node_modules/debug/package.json,/evoting app/src/bower_components/bootstrap/node_modules/tiny-lr/node_modules/debug/package.json,/evoting app/src/bower_components/bootstrap/node_modules/tiny-lr/node_modules/debug/package.json

Dependency Hierarchy:

lite-server-2.4.0.tgz (Root Library)
- browser-sync-2.26.5.tgz
  - localtunnel-1.9.1.tgz
    - axios-0.17.1.tgz
      - follow-redirects-1.7.0.tgz
        
        ❌ debug-3.2.6.tgz (Vulnerable Library)

debug-4.1.1.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap/node_modules/@babel/traverse/node_modules/debug/package.json,/evoting app/src/bower_components/bootstrap/node_modules/@babel/traverse/node_modules/debug/package.json,/evoting app/src/bower_components/bootstrap/node_modules/@babel/traverse/node_modules/debug/package.json,/evoting app/src/bower_components/bootstrap/node_modules/@babel/traverse/node_modules/debug/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- connect-2.4.6.tgz
  - ❌ debug-4.1.1.tgz (Vulnerable Library)

debug-0.8.1.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-0.8.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/npm-registry/node_modules/debug/package.json,/evoting app/src/bower_components/select2/node_modules/npm-registry/node_modules/debug/package.json

Dependency Hierarchy:

gulp-connect-2.0.6.tgz (Root Library)
- tiny-lr-0.0.7.tgz
  - ❌ debug-0.8.1.tgz (Vulnerable Library)

debug-0.7.4.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-0.7.4.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/tiny-lr-fork/node_modules/debug/package.json,/evoting app/src/bower_components/select2/node_modules/tiny-lr-fork/node_modules/debug/package.json,/evoting app/src/bower_components/select2/node_modules/tiny-lr-fork/node_modules/debug/package.json

Dependency Hierarchy:

grunt-contrib-watch-0.5.3.tgz (Root Library)
- tiny-lr-0.0.4.tgz
  - ❌ debug-0.7.4.tgz (Vulnerable Library)

debug-2.6.8.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/bootlint/node_modules/debug/package.json

Dependency Hierarchy:

grunt-bootlint-0.9.1.tgz (Root Library)
- bootlint-0.12.0.tgz
  - ❌ debug-2.6.8.tgz (Vulnerable Library)

debug-2.6.7.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.6.7.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/send/node_modules/debug/package.json

Dependency Hierarchy:

grunt-bootlint-0.9.1.tgz (Root Library)
- bootlint-0.12.0.tgz
  - express-4.15.3.tgz
    - ❌ debug-2.6.7.tgz (Vulnerable Library)

debug-2.0.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.0.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/mocha/node_modules/debug/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- mocha-1.21.5.tgz
  - ❌ debug-2.0.0.tgz (Vulnerable Library)

debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/debug/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/debug/package.json,/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/debug/package.json

Dependency Hierarchy:

grunt-contrib-connect-0.9.0.tgz (Root Library)
- connect-2.30.2.tgz
  - ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (lite-server): 2.5.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (grunt): 0.4.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (gulp-connect): 2.1.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (grunt-contrib-watch): 0.6.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (grunt-bootlint): 0.10.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (grunt-bootlint): 0.10.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (grunt-mocha): 1.0.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (grunt-contrib-connect): 0.10.0

Step up your Open Source Security Game with Mend here

WS-2019-0064 (High) detected in handlebars-3.0.6.tgz

WS-2019-0064 - High Severity Vulnerability

Vulnerable Library - handlebars-3.0.6.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-3.0.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/handlebars/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - ❌ handlebars-3.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution (handlebars): 3.0.7

Direct dependency fix Resolution (grunt-assemble): 0.5.0

Step up your Open Source Security Game with Mend here

CVE-2017-16119 (High) detected in multiple libraries

CVE-2017-16119 - High Severity Vulnerability

Vulnerable Libraries - fresh-0.5.0.tgz, fresh-0.3.0.tgz, fresh-0.1.0.tgz

fresh-0.5.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.5.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/fresh/package.json

Dependency Hierarchy:

grunt-bootlint-0.9.1.tgz (Root Library)
- bootlint-0.12.0.tgz
  - express-4.15.3.tgz
    - ❌ fresh-0.5.0.tgz (Vulnerable Library)

fresh-0.3.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/chart.js/node_modules/fresh/package.json,/evoting app/src/bower_components/chart.js/node_modules/fresh/package.json

Dependency Hierarchy:

grunt-contrib-connect-0.9.0.tgz (Root Library)
- connect-2.30.2.tgz
  - ❌ fresh-0.3.0.tgz (Vulnerable Library)

fresh-0.1.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.1.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/fresh/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- connect-2.4.6.tgz
  - ❌ fresh-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-04-26

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (grunt-bootlint): 0.10.0

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (grunt-contrib-connect): 0.11.0

Fix Resolution (fresh): 0.5.2

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2017-16115 (High) detected in timespan-2.3.0.tgz

CVE-2017-16115 - High Severity Vulnerability

Vulnerable Library - timespan-2.3.0.tgz

A JavaScript TimeSpan library for node.js (and soon the browser)

Library home page: https://registry.npmjs.org/timespan/-/timespan-2.3.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/timespan/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- prompt-0.1.12.tgz
  - winston-0.5.11.tgz
    - loggly-0.3.11.tgz
      - ❌ timespan-2.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Publish Date: 2018-06-07

URL: CVE-2017-16115

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

WS-2019-0026 (Medium) detected in marked-0.2.10.tgz

WS-2019-0026 - Medium Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Versions 0.3.7 and earlier of marked suuport unescaping of only lowercase, which may lead to XSS.

Publish Date: 2017-12-23

URL: WS-2019-0026

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-12-23

Fix Resolution (marked): 0.3.9

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

WS-2019-0025 (Medium) detected in marked-0.2.10.tgz

WS-2019-0025 - Medium Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href are vulnerable to XSS, which allows an attacker to inject arbitrary code.

Publish Date: 2017-12-23

URL: WS-2019-0025

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-12-23

Fix Resolution (marked): 0.3.9

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

WS-2014-0005 (High) detected in multiple libraries

WS-2014-0005 - High Severity Vulnerability

Vulnerable Libraries - qs-0.6.6.tgz, qs-0.5.1.tgz, qs-0.5.6.tgz, qs-0.1.0.tgz

qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/qs/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- request-2.27.0.tgz
  - ❌ qs-0.6.6.tgz (Vulnerable Library)

qs-0.5.1.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/qs/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- connect-2.4.6.tgz
  - ❌ qs-0.5.1.tgz (Vulnerable Library)

qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Dependency Hierarchy:

grunt-contrib-watch-0.5.3.tgz (Root Library)
- tiny-lr-0.0.4.tgz
  - ❌ qs-0.5.6.tgz (Vulnerable Library)

qs-0.1.0.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.1.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/q-io/node_modules/qs/package.json

Dependency Hierarchy:

grunt-gh-pages-0.9.1.tgz (Root Library)
- q-io-1.6.5.tgz
  - ❌ qs-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-07-31

URL: WS-2014-0005

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005

Release Date: 2014-07-31

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (bower): 1.3.10

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt): 0.4.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-gh-pages): 3.1.0

Step up your Open Source Security Game with Mend here

CVE-2015-8858 (High) detected in multiple libraries

CVE-2015-8858 - High Severity Vulnerability

Vulnerable Libraries - uglify-js-2.3.6.tgz, uglify-js-2.4.24.tgz, uglify-js-1.3.5.tgz

uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/uglify-js/package.json,/evoting app/src/bower_components/morris.js/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - handlebars-1.3.0.tgz
      - ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

uglify-js-2.4.24.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/grunt-contrib-uglify/node_modules/uglify-js/package.json,/evoting app/src/bower_components/morris.js/node_modules/grunt-contrib-uglify/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-contrib-uglify-0.2.7.tgz (Root Library)
- ❌ uglify-js-2.4.24.tgz (Vulnerable Library)

uglify-js-1.3.5.tgz

JavaScript parser and compressor/beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.3.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ uglify-js-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution (uglify-js): 2.6.0

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Fix Resolution (uglify-js): 2.6.0

Direct dependency fix Resolution (grunt-contrib-uglify): 0.4.0

Fix Resolution (uglify-js): 2.6.0

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

WS-2016-0012 (Medium) detected in grunt-gh-pages-0.9.1.tgz - autoclosed

WS-2016-0012 - Medium Severity Vulnerability

Vulnerable Library - grunt-gh-pages-0.9.1.tgz

Publish to GitHub Pages with Grunt.

Library home page: http://registry.npmjs.org/grunt-gh-pages/-/grunt-gh-pages-0.9.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /E-voting-using-blockchain/evoting app/src/bower_components/select2/node_modules/grunt-gh-pages/package.json

Dependency Hierarchy:

❌ grunt-gh-pages-0.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Authentication credentails logged in clear text.In module versions before 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

Publish Date: 2016-03-16

URL: WS-2016-0012

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/85

Release Date: 2017-01-31

Fix Resolution: 0.9.1

Step up your Open Source Security Game with WhiteSource here

WS-2018-0031 (High) detected in marked-0.2.10.tgz

WS-2018-0031 - High Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The affected versions (through 0.3.5) in marked package are vulnerable to Cross-Site Scripting (XSS) Due To Sanitization Bypass Using HTML Entities

Publish Date: 2018-03-23

URL: WS-2018-0031

CVSS 3 Score Details (7.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-23

Fix Resolution (marked): 0.3.6

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

WS-2013-0004 (Medium) detected in connect-2.4.6.tgz

WS-2013-0004 - Medium Severity Vulnerability

Vulnerable Library - connect-2.4.6.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.4.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/connect/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ connect-2.4.6.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The "methodOverride" let the http post to override the method of the request with the value of the post key or with the header, which allows XSS attack.

Publish Date: 2013-06-27

URL: WS-2013-0004

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2013-06-27

Fix Resolution (connect): 2.8.1

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2013-7371 (Medium) detected in connect-2.4.6.tgz

CVE-2013-7371 - Medium Severity Vulnerability

Vulnerable Library - connect-2.4.6.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.4.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/connect/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ connect-2.4.6.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)

Publish Date: 2019-12-11

URL: CVE-2013-7371

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7371

Release Date: 2019-12-11

Fix Resolution (connect): 2.8.1

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

WS-2017-0108 (High) detected in marked-0.2.10.tgz - autoclosed

WS-2017-0108 - High Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Marked 0.3.6 and earlier is vulnerable to XSS attacks via Data URIs.

Publish Date: 2017-01-30

URL: WS-2017-0108

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: markedjs/marked@cd2f6f5

Release Date: 2017-01-19

Fix Resolution: Replace or update the following files: links.sanitize.html, marked.js, links.sanitize.text

Step up your Open Source Security Game with WhiteSource here

CVE-2018-3717 (Medium) detected in connect-2.4.6.tgz

CVE-2018-3717 - Medium Severity Vulnerability

Vulnerable Library - connect-2.4.6.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.4.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/connect/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ connect-2.4.6.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.

Publish Date: 2018-06-07

URL: CVE-2018-3717

CVSS 3 Score Details (5.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717

Release Date: 2018-06-07

Fix Resolution (connect): 2.14.0

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2017-16028 (Medium) detected in randomatic-1.1.7.tgz

CVE-2017-16028 - Medium Severity Vulnerability

Vulnerable Library - randomatic-1.1.7.tgz

Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.

Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.7.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/randomatic/package.json

Dependency Hierarchy:

grunt-image-1.5.2.tgz (Root Library)
- advpng-bin-3.0.0.tgz
  - bin-build-2.2.0.tgz
    - decompress-3.0.0.tgz
      - vinyl-fs-2.4.4.tgz
        
        glob-stream-5.3.5.tgz
        
        micromatch-2.3.11.tgz
        
        braces-1.8.5.tgz
        
        expand-range-1.8.2.tgz
        
        fill-range-2.2.3.tgz
        ❌ randomatic-1.1.7.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Publish Date: 2018-06-04

URL: CVE-2017-16028

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/157/versions

Release Date: 2018-04-26

Fix Resolution (randomatic): 3.0.0

Direct dependency fix Resolution (grunt-image): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2014-1850 (High) detected in marked-0.2.10.tgz - autoclosed

CVE-2014-1850 - High Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Marked comes with an option to sanitize user output to help protect against content injection attacks (i.e. sanitize: true). Even if this option is set, marked before version 0.3.1 is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations: gfm codeblocks (language) and javascript url's

Publish Date: 2014-02-02

URL: CVE-2014-1850

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/22

Release Date: 2014-01-31

Fix Resolution: Upgrade to version 0.3.1 or later

Step up your Open Source Security Game with WhiteSource here

WS-2018-0590 (High) detected in diff-1.0.8.tgz, diff-1.4.0.tgz

WS-2018-0590 - High Severity Vulnerability

Vulnerable Libraries - diff-1.0.8.tgz, diff-1.4.0.tgz

diff-1.0.8.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.0.8.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/diff/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- mocha-1.21.5.tgz
  - ❌ diff-1.0.8.tgz (Vulnerable Library)

diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/tap-mocha-reporter/node_modules/diff/package.json,/evoting app/src/bower_components/select2/node_modules/tap-mocha-reporter/node_modules/diff/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- nodeunit-0.7.4.tgz
  - tap-14.2.2.tgz
    - tap-mocha-reporter-4.0.1.tgz
      - ❌ diff-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (grunt-mocha): 1.0.3

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2018-3745 (Critical) detected in atob-1.1.3.tgz

CVE-2018-3745 - Critical Severity Vulnerability

Vulnerable Library - atob-1.1.3.tgz

atob for Node.JS and Linux / Mac / Windows CLI (it's a one-liner)

Library home page: https://registry.npmjs.org/atob/-/atob-1.1.3.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/atob/package.json

Dependency Hierarchy:

R2-1.4.3.tgz (Root Library)
- css-2.0.0.tgz
  - source-map-resolve-0.1.4.tgz
    - ❌ atob-1.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.

Publish Date: 2018-05-29

URL: CVE-2018-3745

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/321686

Release Date: 2018-05-29

Fix Resolution: atob - 2.1.0

Step up your Open Source Security Game with Mend here

CVE-2016-10526 (High) detected in grunt-gh-pages-0.9.1.tgz

CVE-2016-10526 - High Severity Vulnerability

Vulnerable Library - grunt-gh-pages-0.9.1.tgz

Publish to GitHub Pages with Grunt.

Library home page: https://registry.npmjs.org/grunt-gh-pages/-/grunt-gh-pages-0.9.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/grunt-gh-pages/package.json

Dependency Hierarchy:

❌ grunt-gh-pages-0.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

Publish Date: 2018-05-31

URL: CVE-2016-10526

CVSS 3 Score Details (8.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10526

Release Date: 2018-05-31

Fix Resolution: 0.10.0

Step up your Open Source Security Game with Mend here

CVE-2018-16487 (Medium) detected in multiple libraries

CVE-2018-16487 - Medium Severity Vulnerability

lodash-1.3.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.3.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/matchkeys/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - matchkeys-0.1.3.tgz
      - ❌ lodash-1.3.1.tgz (Vulnerable Library)

lodash-1.2.1.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.2.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/lodash/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- inquirer-0.3.5.tgz
  - ❌ lodash-1.2.1.tgz (Vulnerable Library)

lodash-2.2.1.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.2.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/handlebars-helpers/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ lodash-2.2.1.tgz (Vulnerable Library)

lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Dependency Hierarchy:

grunt-contrib-watch-0.5.3.tgz (Root Library)
- gaze-0.4.3.tgz
  - globule-0.1.0.tgz
    - ❌ lodash-1.0.2.tgz (Vulnerable Library)

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)

lodash-3.7.0.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/jshint/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-contrib-jshint-0.11.3.tgz (Root Library)
- jshint-2.8.0.tgz
  - ❌ lodash-3.7.0.tgz (Vulnerable Library)

lodash-4.6.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.6.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-datepicker/package.json

Dependency Hierarchy:

grunt-jscs-3.0.1.tgz (Root Library)
- ❌ lodash-4.6.1.tgz (Vulnerable Library)

lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ lodash-0.9.2.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/380873

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (bower): 1.7.5

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.1

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-mocha): 1.2.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-jshint): 0.12.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt): 1.0.3

Step up your Open Source Security Game with Mend here

CVE-2015-8854 (High) detected in marked-0.2.10.tgz

CVE-2015-8854 - High Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8854

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8854

Release Date: 2017-01-23

Fix Resolution (marked): 0.3.4

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

WS-2013-0003 (Medium) detected in connect-2.4.6.tgz

WS-2013-0003 - Medium Severity Vulnerability

Vulnerable Library - connect-2.4.6.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.4.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/connect/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ connect-2.4.6.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

senchalabs/connect prior to 2.8.1 is vulnerable to xss attack

Publish Date: 2013-06-27

URL: WS-2013-0003

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2013-0003

Release Date: 2013-06-27

Fix Resolution (connect): 2.8.1

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251 (Medium) detected in multiple libraries

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.9.0.min.js, jquery-2.1.3.min.js, jquery-2.0.3.min.js, jquery-1.11.3.min.js, jquery-1.11.0.min.js

jquery-1.9.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.0/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-knob/index.html

Path to vulnerable library: /evoting app/src/bower_components/jquery-knob/index.html,/evoting app/src/bower_components/jquery-slimscroll/examples/scrollbar.html

Dependency Hierarchy:

❌ jquery-1.9.0.min.js (Vulnerable Library)

jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/samples/line-customTooltips.html

Path to vulnerable library: /evoting app/src/bower_components/chart.js/samples/line-customTooltips.html

Dependency Hierarchy:

❌ jquery-2.1.3.min.js (Vulnerable Library)

jquery-2.0.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.0.3/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/examples/area-as-line.html

Path to vulnerable library: /evoting app/src/bower_components/morris.js/examples/area-as-line.html

Dependency Hierarchy:

❌ jquery-2.0.3.min.js (Vulnerable Library)

jquery-1.11.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-daterangepicker/demo.html

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-daterangepicker/demo.html

Dependency Hierarchy:

❌ jquery-1.11.3.min.js (Vulnerable Library)

jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/ckeditor/samples/old/jquery.html

Path to vulnerable library: /evoting app/src/bower_components/ckeditor/samples/old/jquery.html

Dependency Hierarchy:

❌ jquery-1.11.0.min.js (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

WS-2018-0076 (Medium) detected in tunnel-agent-0.4.3.tgz, tunnel-agent-0.3.0.tgz

WS-2018-0076 - Medium Severity Vulnerability

Vulnerable Libraries - tunnel-agent-0.4.3.tgz, tunnel-agent-0.3.0.tgz

tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/phantomjs/node_modules/tunnel-agent/package.json,/evoting app/src/bower_components/morris.js/node_modules/phantomjs/node_modules/tunnel-agent/package.json,/evoting app/src/bower_components/morris.js/node_modules/phantomjs/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- grunt-lib-phantomjs-0.7.1.tgz
  - phantomjs-1.9.20.tgz
    - request-2.67.0.tgz
      - ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

tunnel-agent-0.3.0.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.3.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- request-2.27.0.tgz
  - ❌ tunnel-agent-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2017-03-05

URL: WS-2018-0076

CVSS 3 Score Details (5.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/598

Release Date: 2017-03-05

Fix Resolution (tunnel-agent): 0.6.0

Direct dependency fix Resolution (grunt-mocha): 1.0.0

Fix Resolution (tunnel-agent): 0.6.0

Direct dependency fix Resolution (bower): 1.7.5

Step up your Open Source Security Game with Mend here

WS-2015-0017 (Medium) detected in multiple libraries - autoclosed

WS-2015-0017 - Medium Severity Vulnerability

Vulnerable Libraries - uglify-js-2.3.6.tgz, uglify-js-2.4.24.tgz, uglify-js-1.3.5.tgz

uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/morris.js/node_modules/uglify-js/package.json,/tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/morris.js/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - handlebars-1.3.0.tgz
      - ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

uglify-js-2.4.24.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/morris.js/node_modules/grunt-contrib-uglify/node_modules/uglify-js/package.json,/tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/morris.js/node_modules/grunt-contrib-uglify/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-contrib-uglify-0.2.7.tgz (Root Library)
- ❌ uglify-js-2.4.24.tgz (Vulnerable Library)

uglify-js-1.3.5.tgz

JavaScript parser and compressor/beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.3.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ uglify-js-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Step up your Open Source Security Game with WhiteSource here

WS-2015-0049 (Medium) detected in marked-0.2.10.tgz - autoclosed

WS-2015-0049 - Medium Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set.

Publish Date: 2019-03-17

URL: WS-2015-0049

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/24/versions

Release Date: 2019-03-17

Fix Resolution: 03.3

Step up your Open Source Security Game with WhiteSource here

CVE-2015-8857 (Critical) detected in uglify-js-2.3.6.tgz, uglify-js-1.3.5.tgz

CVE-2015-8857 - Critical Severity Vulnerability

Vulnerable Libraries - uglify-js-2.3.6.tgz, uglify-js-1.3.5.tgz

uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/uglify-js/package.json,/evoting app/src/bower_components/morris.js/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - handlebars-1.3.0.tgz
      - ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

uglify-js-1.3.5.tgz

JavaScript parser and compressor/beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.3.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/uglify-js/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ uglify-js-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Publish Date: 2017-01-23

URL: CVE-2015-8857

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2017-01-23

Fix Resolution (uglify-js): 2.4.24

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Fix Resolution (uglify-js): 2.4.24

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

CVE-2018-16492 (Critical) detected in extend-3.0.1.tgz, extend-1.2.1.tgz

CVE-2018-16492 - Critical Severity Vulnerability

Vulnerable Libraries - extend-3.0.1.tgz, extend-1.2.1.tgz

extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/extend/package.json

Dependency Hierarchy:

less-2.7.3.tgz (Root Library)
- request-2.81.0.tgz
  - ❌ extend-3.0.1.tgz (Vulnerable Library)

extend-1.2.1.tgz

Port of jQuery.extend for Node.js

Library home page: https://registry.npmjs.org/extend/-/extend-1.2.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/chart.js/node_modules/extend/package.json

Dependency Hierarchy:

gulp-3.5.6.tgz (Root Library)
- liftoff-0.9.8.tgz
  - ❌ extend-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (less): 3.0.0

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (gulp): 3.6.0

Step up your Open Source Security Game with Mend here

CVE-2014-10064 (High) detected in multiple libraries

CVE-2014-10064 - High Severity Vulnerability

Vulnerable Libraries - qs-0.6.6.tgz, qs-0.5.1.tgz, qs-0.5.6.tgz, qs-0.1.0.tgz

qs-0.6.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.6.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/bower_components/morris.js/node_modules/qs/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- request-2.27.0.tgz
  - ❌ qs-0.6.6.tgz (Vulnerable Library)

qs-0.5.1.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/qs/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- connect-2.4.6.tgz
  - ❌ qs-0.5.1.tgz (Vulnerable Library)

qs-0.5.6.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Dependency Hierarchy:

grunt-contrib-watch-0.5.3.tgz (Root Library)
- tiny-lr-0.0.4.tgz
  - ❌ qs-0.5.6.tgz (Vulnerable Library)

qs-0.1.0.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.1.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/q-io/node_modules/qs/package.json

Dependency Hierarchy:

grunt-gh-pages-0.9.1.tgz (Root Library)
- q-io-1.6.5.tgz
  - ❌ qs-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064

Release Date: 2018-04-26

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (bower): 1.3.10

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt): 0.4.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (grunt-gh-pages): 3.1.0

Step up your Open Source Security Game with Mend here

CVE-2018-3728 (High) detected in hoek-2.16.3.tgz, hoek-0.9.1.tgz

CVE-2018-3728 - High Severity Vulnerability

Vulnerable Libraries - hoek-2.16.3.tgz, hoek-0.9.1.tgz

hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-datepicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-datepicker/node_modules/hoek/package.json,/evoting app/src/bower_components/bootstrap-datepicker/node_modules/hoek/package.json,/evoting app/src/bower_components/bootstrap-datepicker/node_modules/hoek/package.json,/evoting app/src/bower_components/bootstrap-datepicker/node_modules/hoek/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- grunt-lib-phantomjs-0.7.1.tgz
  - phantomjs-1.9.20.tgz
    - request-2.67.0.tgz
      - hawk-3.1.3.tgz
        
        ❌ hoek-2.16.3.tgz (Vulnerable Library)

hoek-0.9.1.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-0.9.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /evoting app/src/node_modules/hoek/package.json,/evoting app/src/node_modules/hoek/package.json

Dependency Hierarchy:

grunt-contrib-less-0.12.0.tgz (Root Library)
- less-1.7.5.tgz
  - request-2.40.0.tgz
    - hawk-1.1.1.tgz
      - ❌ hoek-0.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (grunt-mocha): 1.0.0

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (grunt-contrib-less): 1.0.1

Step up your Open Source Security Game with Mend here

WS-2017-0247 (High) detected in multiple libraries - autoclosed

WS-2017-0247 - High Severity Vulnerability

Vulnerable Libraries - ms-0.7.2.tgz, ms-0.6.2.tgz, ms-0.7.1.tgz

ms-0.7.2.tgz

Tiny milisecond conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Path to vulnerable library: E-voting-using-blockchain/evoting app/src/bower_components/chart.js/node_modules/serve-favicon/node_modules/ms/package.json,E-voting-using-blockchain/evoting app/src/bower_components/chart.js/node_modules/serve-favicon/node_modules/ms/package.json

Dependency Hierarchy:

gulp-connect-2.0.6.tgz (Root Library)
- connect-2.30.2.tgz
  - serve-favicon-2.3.2.tgz
    - ❌ ms-0.7.2.tgz (Vulnerable Library)

ms-0.6.2.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: E-voting-using-blockchain/evoting app/src/bower_components/morris.js/node_modules/ms/package.json

Dependency Hierarchy:

grunt-mocha-0.4.15.tgz (Root Library)
- mocha-1.21.5.tgz
  - debug-2.0.0.tgz
    - ❌ ms-0.6.2.tgz (Vulnerable Library)

ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/chart.js/package.json

Path to vulnerable library: E-voting-using-blockchain/evoting app/src/bower_components/select2/node_modules/ms/package.json,E-voting-using-blockchain/evoting app/src/bower_components/select2/node_modules/ms/package.json,E-voting-using-blockchain/evoting app/src/bower_components/select2/node_modules/ms/package.json

Dependency Hierarchy:

gulp-connect-2.0.6.tgz (Root Library)
- connect-2.30.2.tgz
  - connect-timeout-1.6.2.tgz
    - ❌ ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10540 (High) detected in multiple libraries

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-2.0.10.tgz, minimatch-0.3.0.tgz, minimatch-0.2.14.tgz, minimatch-1.0.0.tgz

minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/node_modules/bootlint/node_modules/minimatch/package.json,/evoting app/src/node_modules/bootlint/node_modules/minimatch/package.json,/evoting app/src/node_modules/bootlint/node_modules/minimatch/package.json

Dependency Hierarchy:

gulp-3.5.6.tgz (Root Library)
- vinyl-fs-0.1.4.tgz
  - glob-stream-3.1.18.tgz
    - ❌ minimatch-2.0.10.tgz (Vulnerable Library)

minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/cli/node_modules/minimatch/package.json,/evoting app/src/bower_components/select2/node_modules/cli/node_modules/minimatch/package.json,/evoting app/src/bower_components/select2/node_modules/cli/node_modules/minimatch/package.json,/evoting app/src/bower_components/select2/node_modules/cli/node_modules/minimatch/package.json,/evoting app/src/bower_components/select2/node_modules/cli/node_modules/minimatch/package.json

Dependency Hierarchy:

gulp-3.5.6.tgz (Root Library)
- liftoff-0.9.8.tgz
  - findup-sync-0.1.3.tgz
    - glob-3.2.11.tgz
      - ❌ minimatch-0.3.0.tgz (Vulnerable Library)

minimatch-0.2.14.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/chart.js/node_modules/globule/node_modules/minimatch/package.json,/evoting app/src/bower_components/chart.js/node_modules/globule/node_modules/minimatch/package.json,/evoting app/src/bower_components/chart.js/node_modules/globule/node_modules/minimatch/package.json,/evoting app/src/bower_components/chart.js/node_modules/globule/node_modules/minimatch/package.json,/evoting app/src/bower_components/chart.js/node_modules/globule/node_modules/minimatch/package.json,/evoting app/src/bower_components/chart.js/node_modules/globule/node_modules/minimatch/package.json

Dependency Hierarchy:

grunt-contrib-watch-0.5.3.tgz (Root Library)
- gaze-0.4.3.tgz
  - globule-0.1.0.tgz
    - ❌ minimatch-0.2.14.tgz (Vulnerable Library)

minimatch-1.0.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-1.0.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/jshint/node_modules/minimatch/package.json

Dependency Hierarchy:

grunt-contrib-jshint-0.10.0.tgz (Root Library)
- jshint-2.5.11.tgz
  - ❌ minimatch-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-04-26

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-04-26

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (gulp): 4.0.0

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (grunt-contrib-watch): 1.0.0

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (grunt-contrib-jshint): 0.11.1

Step up your Open Source Security Game with Mend here

CVE-2013-7370 (Medium) detected in connect-2.4.6.tgz

CVE-2013-7370 - Medium Severity Vulnerability

Vulnerable Library - connect-2.4.6.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-2.4.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/connect/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- ❌ connect-2.4.6.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware

Publish Date: 2019-12-11

URL: CVE-2013-7370

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370

Release Date: 2019-12-11

Fix Resolution (connect): 2.8.1

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

WS-2018-0103 (Medium) detected in stringstream-0.0.5.tgz

WS-2018-0103 - Medium Severity Vulnerability

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/stringstream/package.json

Dependency Hierarchy:

less-2.7.3.tgz (Root Library)
- request-2.81.0.tgz
  - ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.

Publish Date: 2018-05-16

URL: WS-2018-0103

CVSS 3 Score Details (4.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/664

Release Date: 2018-01-27

Fix Resolution (stringstream): 0.0.6

Direct dependency fix Resolution (less): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2017-16114 (High) detected in marked-0.2.10.tgz

CVE-2017-16114 - High Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

Publish Date: 2018-06-07

URL: CVE-2017-16114

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/531/versions

Release Date: 2018-04-26

Fix Resolution (marked): 0.3.9

Direct dependency fix Resolution (grunt-assemble): 0.6.0

Step up your Open Source Security Game with Mend here

WS-2015-0003 (Medium) detected in handlebars-1.3.0.tgz, handlebars-1.0.12.tgz - autoclosed

WS-2015-0003 - Medium Severity Vulnerability

Vulnerable Libraries - handlebars-1.3.0.tgz, handlebars-1.0.12.tgz

handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/handlebars-helpers/node_modules/handlebars/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

handlebars-1.0.12.tgz

Extension of the Mustache logicless template language

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.0.12.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Path to vulnerable library: /tmp/git/E-voting-using-blockchain/evoting app/src/bower_components/morris.js/node_modules/handlebars/package.json

Dependency Hierarchy:

bower-1.2.8.tgz (Root Library)
- ❌ handlebars-1.0.12.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Quoteless Attributes in Templates can lead to Content Injection

Publish Date: 2015-12-14

URL: WS-2015-0003

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/61

Release Date: 2015-12-14

Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.

Step up your Open Source Security Game with WhiteSource here

WS-2019-0032 (High) detected in multiple libraries

WS-2019-0032 - High Severity Vulnerability

Vulnerable Libraries - js-yaml-3.0.2.tgz, js-yaml-3.4.6.tgz, js-yaml-3.5.5.tgz, js-yaml-2.1.3.tgz, js-yaml-3.12.1.tgz, js-yaml-2.0.5.tgz, js-yaml-3.6.1.tgz

js-yaml-3.0.2.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.0.2.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/fs-utils/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- gray-matter-0.4.2.tgz
  - fs-utils-0.4.3.tgz
    - ❌ js-yaml-3.0.2.tgz (Vulnerable Library)

js-yaml-3.4.6.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.4.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Dependency Hierarchy:

grunt-jscs-3.0.1.tgz (Root Library)
- jscs-3.0.7.tgz
  - ❌ js-yaml-3.4.6.tgz (Vulnerable Library)

js-yaml-3.5.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-1.0.3.tgz (Root Library)
- ❌ js-yaml-3.5.5.tgz (Vulnerable Library)

js-yaml-2.1.3.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.1.3.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap-colorpicker/node_modules/handlebars-helpers/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ js-yaml-2.1.3.tgz (Vulnerable Library)

js-yaml-3.12.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap/package.json

Path to vulnerable library: /evoting app/src/bower_components/bootstrap/node_modules/cosmiconfig/node_modules/js-yaml/package.json

Dependency Hierarchy:

stylelint-9.6.0.tgz (Root Library)
- cosmiconfig-5.0.7.tgz
  - ❌ js-yaml-3.12.1.tgz (Vulnerable Library)

js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/morris.js/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/package.json

Path to vulnerable library: /evoting app/src/node_modules/svgo/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-image-1.5.2.tgz (Root Library)
- svgo-0.6.6.tgz
  - ❌ js-yaml-3.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (grunt): 1.0.4

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (stylelint): 9.7.0

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (grunt): 1.0.4

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (grunt-image): 4.1.0

Step up your Open Source Security Game with Mend here

CVE-2016-10538 (Low) detected in cli-0.6.6.tgz, cli-0.4.3.tgz

CVE-2016-10538 - Low Severity Vulnerability

Vulnerable Libraries - cli-0.6.6.tgz, cli-0.4.3.tgz

cli-0.6.6.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/select2/package.json

Path to vulnerable library: /evoting app/src/bower_components/select2/node_modules/cli/package.json,/evoting app/src/bower_components/select2/node_modules/cli/package.json

Dependency Hierarchy:

grunt-contrib-jshint-0.11.3.tgz (Root Library)
- jshint-2.8.0.tgz
  - ❌ cli-0.6.6.tgz (Vulnerable Library)

cli-0.4.3.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.4.3.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/jquery-ui/package.json

Path to vulnerable library: /evoting app/src/bower_components/jquery-ui/node_modules/cli/package.json,/evoting app/src/bower_components/jquery-ui/node_modules/cli/package.json

Dependency Hierarchy:

grunt-0.3.17.tgz (Root Library)
- jshint-0.9.1.tgz
  - ❌ cli-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Found in base branch: master

Vulnerability Details

The package node-cli before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2018-05-31

URL: CVE-2016-10538

CVSS 3 Score Details (3.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10538

Release Date: 2018-05-31

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (grunt-contrib-jshint): 0.12.0

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (grunt): 0.4.0

Step up your Open Source Security Game with Mend here

WS-2015-0020 (High) detected in marked-0.2.10.tgz - autoclosed

WS-2015-0020 - High Severity Vulnerability

Vulnerable Library - marked-0.2.10.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.2.10.tgz

Path to dependency file: /E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/package.json

Path to vulnerable library: E-voting-using-blockchain/evoting app/src/bower_components/bootstrap-colorpicker/node_modules/marked/package.json

Dependency Hierarchy:

grunt-assemble-0.4.0.tgz (Root Library)
- assemble-handlebars-0.3.0.tgz
  - handlebars-helpers-0.5.8.tgz
    - ❌ marked-0.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 3c02898f89d78283ce791eb1b53b2b5a667681ad

Vulnerability Details

Marked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL.

Publish Date: 2015-05-20

URL: WS-2015-0020

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2015-0020

Release Date: 2015-05-20

Fix Resolution: MIDIator.WebClient - 1.0.105;AvailableLight - 1.0.8;z4a-dotnet-scaffold - 1.0.0.3;Raml.Parser - 1.0.7;marked - 0.3.6

Step up your Open Source Security Game with WhiteSource here

iamkishan98 / e-voting-using-blockchain Goto Github PK

e-voting-using-blockchain's People

Contributors

Stargazers

Watchers

e-voting-using-blockchain's Issues

CVE-2014-7191 - Medium Severity Vulnerability

CVE-2017-1000427 - Low Severity Vulnerability

CVE-2017-16026 - Medium Severity Vulnerability

CVE-2016-10531 - Medium Severity Vulnerability

WS-2016-0036 - High Severity Vulnerability

CVE-2015-1370 - Low Severity Vulnerability

CVE-2018-3721 - Medium Severity Vulnerability

WS-2017-0266 - Low Severity Vulnerability

WS-2019-0063 - High Severity Vulnerability

CVE-2019-11358 - Medium Severity Vulnerability

WS-2019-0027 - Medium Severity Vulnerability

CVE-2017-16137 - Low Severity Vulnerability

WS-2019-0064 - High Severity Vulnerability

CVE-2017-16119 - High Severity Vulnerability

CVE-2017-16115 - High Severity Vulnerability

WS-2019-0026 - Medium Severity Vulnerability

WS-2019-0025 - Medium Severity Vulnerability

WS-2014-0005 - High Severity Vulnerability

CVE-2015-8858 - High Severity Vulnerability

WS-2016-0012 - Medium Severity Vulnerability

WS-2018-0031 - High Severity Vulnerability

WS-2013-0004 - Medium Severity Vulnerability

CVE-2013-7371 - Medium Severity Vulnerability

WS-2017-0108 - High Severity Vulnerability

CVE-2018-3717 - Medium Severity Vulnerability

CVE-2017-16028 - Medium Severity Vulnerability

CVE-2014-1850 - High Severity Vulnerability

WS-2018-0590 - High Severity Vulnerability

CVE-2018-3745 - Critical Severity Vulnerability

CVE-2016-10526 - High Severity Vulnerability

CVE-2018-16487 - Medium Severity Vulnerability

CVE-2015-8854 - High Severity Vulnerability

WS-2013-0003 - Medium Severity Vulnerability

CVE-2015-9251 - Medium Severity Vulnerability

WS-2018-0076 - Medium Severity Vulnerability

WS-2015-0017 - Medium Severity Vulnerability

WS-2015-0049 - Medium Severity Vulnerability

CVE-2015-8857 - Critical Severity Vulnerability

CVE-2018-16492 - Critical Severity Vulnerability

CVE-2014-10064 - High Severity Vulnerability

CVE-2018-3728 - High Severity Vulnerability

WS-2017-0247 - High Severity Vulnerability

CVE-2016-10540 - High Severity Vulnerability

CVE-2013-7370 - Medium Severity Vulnerability

WS-2018-0103 - Medium Severity Vulnerability

CVE-2017-16114 - High Severity Vulnerability

WS-2015-0003 - Medium Severity Vulnerability

WS-2019-0032 - High Severity Vulnerability

CVE-2016-10538 - Low Severity Vulnerability

WS-2015-0020 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org