blog's Issues
WS-2021-0153 (High) detected in ejs-2.7.4.tgz
WS-2021-0153 - High Severity Vulnerability
Vulnerable Library - ejs-2.7.4.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy:
- hexo-renderer-ejs-1.0.0.tgz (Root Library)
- ❌ ejs-2.7.4.tgz (Vulnerable Library)
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: mde/ejs#571
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (hexo-renderer-ejs): 2.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11023 (Medium) detected in jquery-1.10.2.min.js
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.10.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
- ❌ jquery-1.10.2.min.js (Vulnerable Library)
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9251 (Medium) detected in jquery-1.10.2.min.js
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.10.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
- ❌ jquery-1.10.2.min.js (Vulnerable Library)
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
- hexo-5.2.0.tgz (Root Library)
- resolve-1.18.1.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
- resolve-1.18.1.tgz
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (hexo): 5.3.0
Step up your Open Source Security Game with WhiteSource here
CVE-2019-11358 (Medium) detected in jquery-1.10.2.min.js
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.10.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
- ❌ jquery-1.10.2.min.js (Vulnerable Library)
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
CVE-2022-23647 (High) detected in prismjs-1.25.0.tgz
CVE-2022-23647 - High Severity Vulnerability
Vulnerable Library - prismjs-1.25.0.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prismjs/package.json
Dependency Hierarchy:
- hexo-renderer-marked-3.3.0.tgz (Root Library)
- hexo-util-2.4.0.tgz
- ❌ prismjs-1.25.0.tgz (Vulnerable Library)
- hexo-util-2.4.0.tgz
Found in base branch: master
Vulnerability Details
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Publish Date: 2022-02-18
URL: CVE-2022-23647
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-3949-f494-cm99
Release Date: 2022-02-18
Fix Resolution: prismjs- v1.27.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-3807 (High) detected in ansi-regex-5.0.0.tgz
CVE-2021-3807 - High Severity Vulnerability
Vulnerable Library - ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
- hexo-5.2.0.tgz (Root Library)
- strip-ansi-6.0.0.tgz
- ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)
- strip-ansi-6.0.0.tgz
Found in HEAD commit: 6d1c195f8bb14aeafd7c36d4b5c1eb84d71e62b2
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (hexo): 5.3.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-32696 (Medium) detected in striptags-3.1.1.tgz
CVE-2021-32696 - Medium Severity Vulnerability
Vulnerable Library - striptags-3.1.1.tgz
PHP strip_tags in Node.js
Library home page: https://registry.npmjs.org/striptags/-/striptags-3.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/striptags/package.json
Dependency Hierarchy:
- hexo-renderer-marked-3.3.0.tgz (Root Library)
- hexo-util-2.4.0.tgz
- ❌ striptags-3.1.1.tgz (Vulnerable Library)
- hexo-util-2.4.0.tgz
Found in HEAD commit: 6d1c195f8bb14aeafd7c36d4b5c1eb84d71e62b2
Found in base branch: master
Vulnerability Details
The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags
to concatenate unsanitized strings when an array-like object is passed in as the html
parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.
Publish Date: 2021-06-18
URL: CVE-2021-32696
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-qxg5-2qff-p49r
Release Date: 2021-06-18
Fix Resolution (striptags): 3.2.0
Direct dependency fix Resolution (hexo-renderer-marked): 4.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2022-21681 (High) detected in marked-1.2.2.tgz
CVE-2022-21681 - High Severity Vulnerability
Vulnerable Library - marked-1.2.2.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
- hexo-renderer-marked-3.3.0.tgz (Root Library)
- ❌ marked-1.2.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch
may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21681
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11022 (Medium) detected in jquery-1.10.2.min.js
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.10.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to dependency file: /node_modules/titlecase/test/index.html
Path to vulnerable library: /node_modules/titlecase/test/index.html
Dependency Hierarchy:
- ❌ jquery-1.10.2.min.js (Vulnerable Library)
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-21306 (High) detected in marked-1.2.2.tgz
CVE-2021-21306 - High Severity Vulnerability
Vulnerable Library - marked-1.2.2.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
- hexo-renderer-marked-3.3.0.tgz (Root Library)
- ❌ marked-1.2.2.tgz (Vulnerable Library)
Found in HEAD commit: cd4e879317e2b44f3afda5b48365bf134207b886
Found in base branch: master
Vulnerability Details
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.
Publish Date: 2021-02-08
URL: CVE-2021-21306
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-4r62-v4vq-hr96
Release Date: 2021-02-08
Fix Resolution (marked): 2.0.0
Direct dependency fix Resolution (hexo-renderer-marked): 4.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-25987 (Medium) detected in hexo-5.2.0.tgz
CVE-2021-25987 - Medium Severity Vulnerability
Vulnerable Library - hexo-5.2.0.tgz
A fast, simple & powerful blog framework, powered by Node.js.
Library home page: https://registry.npmjs.org/hexo/-/hexo-5.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hexo/package.json
Dependency Hierarchy:
- ❌ hexo-5.2.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Publish Date: 2021-11-30
URL: CVE-2021-25987
CVSS 3 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-25987
Release Date: 2021-11-30
Fix Resolution: 5.4.1
Step up your Open Source Security Game with WhiteSource here
CVE-2022-21680 (High) detected in marked-1.2.2.tgz
CVE-2022-21680 - High Severity Vulnerability
Vulnerable Library - marked-1.2.2.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json
Dependency Hierarchy:
- hexo-renderer-marked-3.3.0.tgz (Root Library)
- ❌ marked-1.2.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def
may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Publish Date: 2022-01-14
URL: CVE-2022-21680
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution: marked - 4.0.10
Step up your Open Source Security Game with WhiteSource here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.