kreshnik / ninjecture Goto Github PK

Vulnerable Library - cli-0.10.0.tgz

A tool for rapidly building command line apps

path: /ninjecture/node_modules/cli/package.json

Library home page: http://registry.npmjs.org/cli/-/cli-0.10.0.tgz

Dependency Hierarchy:

• ❌ cli-0.10.0.tgz (Vulnerable Library)

Vulnerability Details

The package node-cli before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2018-05-31

URL: CVE-2016-10538

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/95

Release Date: 2016-06-15

Fix Resolution: Update to version 1.0.0 or later.

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /ninjecture/node_modules/micromatch/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Vulnerable Library - concat-stream-1.4.11.tgz

writable stream that concatenates strings or binary data and calls a callback with the result

path: /ninjecture/node_modules/concat-stream/package.json

Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.4.11.tgz

Dependency Hierarchy:

• ❌ concat-stream-1.4.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()

Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Publish Date: 2018-04-25

URL: WS-2018-0075

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - node-sassv4.9.4

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (43)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/b64/encode.h
• /ninjecture/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/c99func.c
• /ninjecture/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/color.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/backtrace.hpp
• /ninjecture/node_modules/node-sass/src/custom_function_bridge.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/paths.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/number.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.h
• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.cpp
• /ninjecture/node_modules/node-sass/src/binding.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/null.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/string.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.cpp
• /ninjecture/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/color.h
• /ninjecture/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cencode.c
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debug.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/factory.cpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/functions.h
• /ninjecture/node_modules/node-sass/src/callback_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.cpp

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters.

Publish Date: 2018-12-03

URL: CVE-2018-19826

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - symfony/routing-v2.7.5

The Routing component maps an HTTP request to a set of configuration variables.

path: null

Dependency Hierarchy:

• laravel/framework-v5.1.20 (Root Library)
  • ❌ symfony/routing-v2.7.5 (Vulnerable Library)

Vulnerability Details

Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring.

Publish Date: 2012-12-27

URL: CVE-2012-6432

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

path: /ninjecture/node_modules/cryptiles/package.json

Library home page: http://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Dependency Hierarchy:

• ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - symfony/http-foundation-v2.7.5

The HttpFoundation component defines an object-oriented layer for the HTTP specification.

path: null

Dependency Hierarchy:

• laravel/framework-v5.1.20 (Root Library)
  • symfony/http-kernel-v2.7.5
    • ❌ symfony/http-foundation-v2.7.5 (Vulnerable Library)

Vulnerability Details

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

Publish Date: 2018-08-03

URL: CVE-2018-14773

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041405

Fix Resolution: The vendor has issued a fix (8.5.6).

The vendor advisory is available at:

https://www.drupal.org/SA-CORE-2018-005

Vulnerable Library - node-sassv4.9.4

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (43)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/b64/encode.h
• /ninjecture/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/c99func.c
• /ninjecture/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/color.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/backtrace.hpp
• /ninjecture/node_modules/node-sass/src/custom_function_bridge.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/paths.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/number.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.h
• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.cpp
• /ninjecture/node_modules/node-sass/src/binding.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/null.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/string.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.cpp
• /ninjecture/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/color.h
• /ninjecture/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cencode.c
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debug.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/factory.cpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/functions.h
• /ninjecture/node_modules/node-sass/src/callback_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11693

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - node-sassv4.9.4

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (43)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/b64/encode.h
• /ninjecture/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/c99func.c
• /ninjecture/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/color.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/backtrace.hpp
• /ninjecture/node_modules/node-sass/src/custom_function_bridge.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/paths.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/number.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.h
• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.cpp
• /ninjecture/node_modules/node-sass/src/binding.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/null.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/string.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.cpp
• /ninjecture/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/color.h
• /ninjecture/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cencode.c
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debug.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/factory.cpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/functions.h
• /ninjecture/node_modules/node-sass/src/callback_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.cpp

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.

Publish Date: 2018-12-04

URL: CVE-2018-19837

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19837

Fix Resolution: 3.5.5

Vulnerable Library - bootstrap-sass-3.3.7.tgz

bootstrap-sass is a Sass-powered version of Bootstrap 3, ready to drop right into your Sass powered applications.

path: /ninjecture/node_modules/bootstrap-sass/package.json

Library home page: https://registry.npmjs.org/bootstrap-sass/-/bootstrap-sass-3.3.7.tgz

Dependency Hierarchy:

• ❌ bootstrap-sass-3.3.7.tgz (Vulnerable Library)

Vulnerability Details

XSS in data-target in bootstrap (3.3.7 and before)

Publish Date: 2017-06-27

URL: WS-2018-0021

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: twbs/bootstrap@d9be1da

Release Date: 2017-08-25

Fix Resolution: Replace or update the following files: alert.js, carousel.js, collapse.js, dropdown.js, modal.js

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Vulnerable Library - hawk-3.1.3.tgz

HTTP Hawk Authentication Scheme

path: /ninjecture/node_modules/hawk/package.json

Library home page: http://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz

Dependency Hierarchy:

• ❌ hawk-3.1.3.tgz (Vulnerable Library)

Vulnerability Details

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/77

Release Date: 2016-01-19

Fix Resolution: Update to hawk version 4.1.1 or greater.

Vulnerable Library - shell-quote-0.0.1.tgz

quote and parse shell commands

path: /ninjecture/node_modules/shell-quote/package.json

Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz

Dependency Hierarchy:

• ❌ shell-quote-0.0.1.tgz (Vulnerable Library)

Vulnerability Details

The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.

Publish Date: 2018-05-31

URL: CVE-2016-10541

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10541

Release Date: 2018-12-15

Fix Resolution: 1.6.1

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - uglify-js-2.4.24.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

path: /ninjecture/node_modules/html-minifier/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz

Dependency Hierarchy:

• ❌ uglify-js-2.4.24.tgz (Vulnerable Library)

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Vulnerable Library - shell-quote-0.0.1.tgz

quote and parse shell commands

path: /ninjecture/node_modules/shell-quote/package.json

Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz

Dependency Hierarchy:

• ❌ shell-quote-0.0.1.tgz (Vulnerable Library)

Vulnerability Details

The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.

Publish Date: 2016-06-21

URL: WS-2016-0039

CVSS 2 Score Details (8.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/117

Release Date: 2016-06-21

Fix Resolution: Upgrade to at least version 1.6.1

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11696

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - uglify-js-2.4.24.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

path: /ninjecture/node_modules/html-minifier/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz

Dependency Hierarchy:

• ❌ uglify-js-2.4.24.tgz (Vulnerable Library)

Vulnerability Details

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."

Publish Date: 2017-01-23

URL: CVE-2015-8858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.6.0

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - symfony/http-kernel-v2.7.5

The HttpKernel component provides a structured process for converting a Request into a Response.

path: null

Dependency Hierarchy:

• laravel/framework-v5.1.20 (Root Library)
  • ❌ symfony/http-kernel-v2.7.5 (Vulnerable Library)

Vulnerability Details

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

Publish Date: 2018-08-03

URL: CVE-2018-14774

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: symfony/symfony@725dee4

Release Date: 2018-08-01

Fix Resolution: Replace or update the following files: InlineFragmentRenderer.php, SubRequestHandlerTest.php, SubRequestHandler.php, TestHttpKernel.php, InlineFragmentRendererTest.php, Request.php, HttpCache.php, HttpCacheTest.php

Vulnerable Library - cli-0.10.0.tgz

A tool for rapidly building command line apps

path: /ninjecture/node_modules/cli/package.json

Library home page: http://registry.npmjs.org/cli/-/cli-0.10.0.tgz

Dependency Hierarchy:

• ❌ cli-0.10.0.tgz (Vulnerable Library)

Vulnerability Details

The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2016-06-15

URL: WS-2016-0036

CVSS 2 Score Details (1.9)

Base Score Metrics not available

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

path: /ninjecture/node_modules/hoek/package.json

Library home page: http://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Dependency Hierarchy:

• ❌ hoek-2.16.3.tgz (Vulnerable Library)

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: hapijs/hoek@623667e

Release Date: 2018-02-15

Fix Resolution: Replace or update the following files: index.js, index.js

Vulnerable Library - swiftmailer/swiftmailer-v5.4.1

Comprehensive mailing tools for PHP

path: null

Dependency Hierarchy:

• laravel/framework-v5.1.20 (Root Library)
  • ❌ swiftmailer/swiftmailer-v5.4.1 (Vulnerable Library)

Vulnerability Details

The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.

Publish Date: 2016-12-30

URL: CVE-2016-10074

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19838

Fix Resolution: 3.5.5

Vulnerable Library - node-sassv4.9.4

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (43)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/b64/encode.h
• /ninjecture/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/c99func.c
• /ninjecture/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/color.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/backtrace.hpp
• /ninjecture/node_modules/node-sass/src/custom_function_bridge.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/paths.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/number.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.h
• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.cpp
• /ninjecture/node_modules/node-sass/src/binding.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/null.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/string.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.cpp
• /ninjecture/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/color.h
• /ninjecture/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cencode.c
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debug.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/factory.cpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/functions.h
• /ninjecture/node_modules/node-sass/src/callback_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.cpp

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - clean-css-3.4.28.tgz

A well-tested CSS minifier

path: /ninjecture/node_modules/clean-css/package.json

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz

Dependency Hierarchy:

• ❌ clean-css-3.4.28.tgz (Vulnerable Library)

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0017

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/785

Release Date: 2019-02-21

Fix Resolution: v4.1.11

Vulnerable Library - node-sassv4.9.4

🌈 Node.js bindings to libsass

Library home page: https://github.com/sass/node-sass.git

Library Source Files (43)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/b64/encode.h
• /ninjecture/node_modules/node-sass/src/libsass/src/base64vlq.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/c99func.c
• /ninjecture/node_modules/node-sass/src/libsass/test/test_subset_map.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/color.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/backtrace.hpp
• /ninjecture/node_modules/node-sass/src/custom_function_bridge.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/paths.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/number.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.h
• /ninjecture/node_modules/node-sass/src/sass_context_wrapper.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.cpp
• /ninjecture/node_modules/node-sass/src/binding.cpp
• /ninjecture/node_modules/node-sass/src/libsass/test/test_unification.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/position.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/null.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/string.cpp
• /ninjecture/node_modules/node-sass/src/sass_types/boolean.cpp
• /ninjecture/node_modules/node-sass/src/libsass/contrib/plugin.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/plugins.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.cpp
• /ninjecture/node_modules/node-sass/src/custom_importer_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/color.h
• /ninjecture/node_modules/node-sass/src/libsass/test/test_superselector.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cencode.c
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debug.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/utf8_string.hpp
• /ninjecture/node_modules/node-sass/src/sass_types/factory.cpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/functions.h
• /ninjecture/node_modules/node-sass/src/callback_bridge.h
• /ninjecture/node_modules/node-sass/src/sass_types/list.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3721

Fix Resolution: Upgrade to version lodash 4.17.5 or greater

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Vulnerable Library - symfony/http-foundation-v2.7.5

The HttpFoundation component defines an object-oriented layer for the HTTP specification.

path: null

Dependency Hierarchy:

• laravel/framework-v5.1.20 (Root Library)
  • symfony/http-kernel-v2.7.5
    • ❌ symfony/http-foundation-v2.7.5 (Vulnerable Library)

Vulnerability Details

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

Publish Date: 2018-06-13

URL: CVE-2018-11386

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: symfony/symfony@47e7268

Release Date: 2018-05-23

Fix Resolution: Replace or update the following file: PdoSessionHandler.php

Vulnerable Library - libsass3.4.1

A C/C++ implementation of a Sass compiler

Library home page: https://github.com/sass/libsass.git

Library Source Files (72)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/output.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/debugger.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_util.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/emitter.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass2scss.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/functions.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/listize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/units.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast_factory.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/ast.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/memory_manager.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/lexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_values.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/constants.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_c.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/to_value.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/cssize.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/remove_placeholders.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/util.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/eval.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass_context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/subset_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/base.h
• /ninjecture/node_modules/node-sass/src/libsass/src/output.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/operation.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/values.h
• /ninjecture/node_modules/node-sass/src/libsass/src/error_handling.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/source_map.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass2scss.h
• /ninjecture/node_modules/node-sass/src/libsass/src/sass.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/file.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/node.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/expand.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/environment.hpp
• /ninjecture/node_modules/node-sass/src/libsass/include/sass/context.h
• /ninjecture/node_modules/node-sass/src/libsass/src/prelexer.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/inspect.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/json.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/context.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/parser.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/extend.cpp
• /ninjecture/node_modules/node-sass/src/libsass/src/color_maps.hpp
• /ninjecture/node_modules/node-sass/src/libsass/src/bind.cpp

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High