A senior student from Shandong University (Weihai), majoring in data science and artificial intelligence
I love working on FOSS projects and contributing to them.
 |
 |
 |
|---|
 |
 |
 |
 |
|---|
 |
 |
 |
 |
|---|
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - jquery-1.10.2.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-1.2.2.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-1.2.2.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.
Publish Date: 2021-02-08
URL: CVE-2021-21306
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-4r62-v4vq-hr96
Release Date: 2021-02-08
Fix Resolution (marked): 2.0.0
Direct dependency fix Resolution (hexo-renderer-marked): 4.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - marked-1.2.2.tgzA markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - ansi-regex-5.0.0.tgzRegular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 6d1c195f8bb14aeafd7c36d4b5c1eb84d71e62b2
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (hexo): 5.3.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.10.2.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.10.2.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - hexo-5.2.0.tgzA fast, simple & powerful blog framework, powered by Node.js.
Library home page: https://registry.npmjs.org/hexo/-/hexo-5.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hexo/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post βbodyβ and βtagsβ donβt sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Publish Date: 2021-11-30
URL: CVE-2021-25987
CVSS 3 Score Details (4.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-25987
Release Date: 2021-11-30
Fix Resolution: 5.4.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.10.2.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - ejs-2.7.4.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: mde/ejs#571
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (hexo-renderer-ejs): 2.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - striptags-3.1.1.tgzPHP strip_tags in Node.js
Library home page: https://registry.npmjs.org/striptags/-/striptags-3.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/striptags/package.json
Dependency Hierarchy:
Found in HEAD commit: 6d1c195f8bb14aeafd7c36d4b5c1eb84d71e62b2
Found in base branch: master
Vulnerability Details
The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.
Publish Date: 2021-06-18
URL: CVE-2021-32696
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-qxg5-2qff-p49r
Release Date: 2021-06-18
Fix Resolution (striptags): 3.2.0
Direct dependency fix Resolution (hexo-renderer-marked): 4.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (hexo): 5.3.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - prismjs-1.25.0.tgzLightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prismjs/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Publish Date: 2022-02-18
URL: CVE-2022-23647
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3949-f494-cm99
Release Date: 2022-02-18
Fix Resolution: prismjs- v1.27.0
Step up your Open Source Security Game with WhiteSource here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
