View Code? Open in Web Editor
NEW
This project forked from ismaestro /angular-example-app
Angular 9 Example App + Angular CLI + Angular Universal + i18n + Firebase
Home Page: https://angularexampleapp.com/
License: MIT License
TypeScript 74.61%
JavaScript 3.17%
HTML 11.63%
CSS 3.01%
SCSS 7.59%
angular's Introduction
๐ฅ I'm a passionate DevOps enthusiast from India ๐ฎ๐ณ
๐ฑ Iโm currently learning everything
๐ฌ Ask me about Azure DevOps, GitHub, Visual Studio and Azure
๐ฅ
2023 Goals: Contribute more to Open Source projects, Learn AI/ML DevOps
๐ซ Reach me on twitter @Srivatsa91
โก Fun fact: Hike more, Worry less
angular's People
Watchers
angular's Issues
CVE-2020-15256 - High Severity Vulnerability
Vulnerable Libraries - object-path-0.9.2.tgz , object-path-0.11.4.tgz
object-path-0.9.2.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
eazy-logger-3.0.2.tgz
tfunk-3.1.0.tgz
โ object-path-0.9.2.tgz (Vulnerable Library)
object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@wessberg/ts-evaluator/node_modules/object-path/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
guess-parser-0.4.18.tgz
ts-evaluator-0.0.25.tgz
โ object-path-0.11.4.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability has been found in object-path
<= 0.11.4 affecting the set()
method. The vulnerability is limited to the includeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path
and setting the option includeInheritedProps: true
, or by using the default withInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true
options or the withInheritedProps
instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7768 - High Severity Vulnerability
Vulnerable Libraries - grpc-js-0.8.1.tgz , grpc-1.24.2.tgz
grpc-js-0.8.1.tgz
gRPC Library for Node - pure JS implementation
Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-0.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@grpc/grpc-js/package.json
Dependency Hierarchy:
firebase-7.14.3.tgz (Root Library)
firestore-1.14.3.tgz
โ grpc-js-0.8.1.tgz (Vulnerable Library)
grpc-1.24.2.tgz
gRPC Library for Node
Library home page: https://registry.npmjs.org/grpc/-/grpc-1.24.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grpc/package.json
Dependency Hierarchy:
โ grpc-1.24.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
Publish Date: 2020-11-11
URL: CVE-2020-7768
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768
Release Date: 2020-11-11
Fix Resolution (@grpc/grpc-js): 1.1.8
Direct dependency fix Resolution (firebase): 7.15.2-0
Step up your Open Source Security Game with Mend here
WS-2019-0066 - Medium Severity Vulnerability
Vulnerable Library - ecstatic-3.3.2.tgz
A simple static file server middleware
Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz
Path to dependency file: angular/package.json
Path to vulnerable library: angular/node_modules/ecstatic/package.json
Dependency Hierarchy:
http-server-0.12.3.tgz (Root Library)
โ ecstatic-3.3.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Versions of ecstatic prior to 4.1.2 fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.
Publish Date: 2019-04-27
URL: WS-2019-0066
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/830/versions
Release Date: 2019-05-02
Fix Resolution: 4.1.2
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
custom-webpack-9.1.0.tgz (Root Library)
โ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@angular-builders/custom-webpack): 9.2.0
Step up your Open Source Security Game with Mend here
WS-2020-0128 - High Severity Vulnerability
Vulnerable Library - standard-version-8.0.0.tgz
replacement for `npm version` with automatic CHANGELOG generation
Library home page: https://registry.npmjs.org/standard-version/-/standard-version-8.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/standard-version/package.json
Dependency Hierarchy:
โ standard-version-8.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The standardVersion function in standard-version before 8.0.1 has a command injection vulnerability.
Publish Date: 2020-07-12
URL: WS-2020-0128
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-7xcx-6wjh-7xp2
Release Date: 2020-07-12
Fix Resolution: 8.0.1
Step up your Open Source Security Game with Mend here
CVE-2020-15366 - Medium Severity Vulnerability
Vulnerable Libraries - ajv-6.12.0.tgz , ajv-6.12.2.tgz
ajv-6.12.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
โ ajv-6.12.0.tgz (Vulnerable Library)
ajv-6.12.2.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/schema-utils/node_modules/ajv/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
coverage-istanbul-loader-3.0.3.tgz
schema-utils-2.7.0.tgz
โ ajv-6.12.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.12
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.12
Step up your Open Source Security Game with Mend here
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with Mend here
CVE-2020-7735 - Medium Severity Vulnerability
Vulnerable Library - ng-packagr-9.1.3.tgz
Compile and package a TypeScript library to Angular Package Format
Library home page: https://registry.npmjs.org/ng-packagr/-/ng-packagr-9.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ng-packagr/package.json
Dependency Hierarchy:
โ ng-packagr-9.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.
Publish Date: 2020-09-25
URL: CVE-2020-7735
CVSS 3 Score Details (6.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7735
Release Date: 2020-09-30
Fix Resolution: 10.1.1
Step up your Open Source Security Game with Mend here
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
custom-webpack-9.1.0.tgz (Root Library)
โ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (@angular-builders/custom-webpack): 9.2.0
Step up your Open Source Security Game with Mend here
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-8116 - High Severity Vulnerability
Vulnerable Libraries - dot-prop-4.2.0.tgz , dot-prop-3.0.0.tgz
dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sw-precache/node_modules/dot-prop/package.json
Dependency Hierarchy:
sw-precache-5.2.1.tgz (Root Library)
update-notifier-2.5.0.tgz
configstore-3.1.2.tgz
โ dot-prop-4.2.0.tgz (Vulnerable Library)
dot-prop-3.0.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/compare-func/node_modules/dot-prop/package.json
Dependency Hierarchy:
standard-version-8.0.0.tgz (Root Library)
conventional-changelog-conventionalcommits-4.2.3.tgz
compare-func-1.3.2.tgz
โ dot-prop-3.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (standard-version): 9.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3805 - High Severity Vulnerability
Vulnerable Libraries - object-path-0.9.2.tgz , object-path-0.11.4.tgz
object-path-0.9.2.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
eazy-logger-3.0.2.tgz
tfunk-3.1.0.tgz
โ object-path-0.9.2.tgz (Vulnerable Library)
object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@wessberg/ts-evaluator/node_modules/object-path/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
guess-parser-0.4.18.tgz
ts-evaluator-0.0.25.tgz
โ object-path-0.11.4.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-1971 - Medium Severity Vulnerability
Vulnerable Library - boringssl85c2cd8a458dc62fb7e9a540d94d21d1bb39c86a
Mirror of BoringSSL
Library home page: https://github.com/google/boringssl.git
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerable Source Files (1)
/node_modules/grpc/deps/grpc/third_party/boringssl/crypto/x509v3/v3_genn.c
Vulnerability Details
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
Publish Date: 2020-12-08
URL: CVE-2020-1971
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971
Release Date: 2020-12-08
Fix Resolution: 1.0.2x,1.1.1i
Step up your Open Source Security Game with Mend here
WS-2019-0307 - Medium Severity Vulnerability
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@ngx-translate/i18n-polyfill/node_modules/mem/package.json
Dependency Hierarchy:
i18n-polyfill-1.0.0.tgz (Root Library)
yargs-10.0.3.tgz
os-locale-2.1.0.tgz
โ mem-1.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.
Publish Date: 2018-08-27
URL: WS-2019-0307
CVSS 3 Score Details (5.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1084
Release Date: 2018-08-27
Fix Resolution: mem - 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-3795 - High Severity Vulnerability
Vulnerable Library - semver-regex-2.0.0.tgz
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
husky-4.2.5.tgz (Root Library)
find-versions-3.2.0.tgz
โ semver-regex-2.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
Direct dependency fix Resolution (husky): 4.3.7
Step up your Open Source Security Game with Mend here
CVE-2011-4969 - Low Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
CVSS 3 Score Details (3.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Step up your Open Source Security Game with Mend here
CVE-2022-0235 - Medium Severity Vulnerability
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
firebase-7.14.3.tgz (Root Library)
functions-0.4.43.tgz
isomorphic-fetch-2.2.1.tgz
โ node-fetch-1.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (firebase): 8.10.1-2022028193537
Step up your Open Source Security Game with Mend here
CVE-2020-36049 - High Severity Vulnerability
Vulnerable Libraries - socket.io-parser-3.2.0.tgz , socket.io-parser-3.3.0.tgz
socket.io-parser-3.2.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
socket.io-2.1.1.tgz
โ socket.io-parser-3.2.0.tgz (Vulnerable Library)
socket.io-parser-3.3.0.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io-parser/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
browser-sync-ui-2.26.4.tgz
socket.io-client-2.3.0.tgz
โ socket.io-parser-3.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-xfhh-g9f5-x4m4
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (karma): 5.0.8
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28481 - Medium Severity Vulnerability
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
โ socket.io-2.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2022-0437 - Medium Severity Vulnerability
Vulnerable Library - karma-5.0.5.tgz
Spectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/package.json
Dependency Hierarchy:
โ karma-5.0.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
Publish Date: 2022-02-05
URL: CVE-2022-0437
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437
Release Date: 2022-02-05
Fix Resolution: 6.3.14
Step up your Open Source Security Game with Mend here
CVE-2020-7662 - High Severity Vulnerability
Vulnerable Library - websocket-extensions-0.1.3.tgz
Generic extension manager for WebSocket connections
Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/websocket-extensions/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
sockjs-0.3.20.tgz
websocket-driver-0.6.5.tgz
โ websocket-extensions-0.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Publish Date: 2020-06-02
URL: CVE-2020-7662
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-g78m-2chm-r7qv
Release Date: 2020-06-02
Fix Resolution (websocket-extensions): 0.1.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.10
Step up your Open Source Security Game with Mend here
CVE-2019-10775 - High Severity Vulnerability
Vulnerable Library - ecstatic-3.3.2.tgz
A simple static file server middleware
Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ecstatic/package.json
Dependency Hierarchy:
http-server-0.12.3.tgz (Root Library)
โ ecstatic-3.3.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.
Publish Date: 2020-01-02
URL: CVE-2019-10775
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-08
Fix Resolution (ecstatic): 4.0.0
Direct dependency fix Resolution (http-server): 0.13.0
Step up your Open Source Security Game with Mend here
CVE-2022-0122 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
selfsigned-1.10.7.tgz
โ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2020-28502 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
socket.io-2.1.1.tgz
socket.io-client-2.1.1.tgz
engine.io-client-3.2.1.tgz
โ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-13822 - High Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
webpack-4.42.0.tgz
node-libs-browser-2.2.1.tgz
crypto-browserify-3.12.0.tgz
browserify-sign-4.2.0.tgz
โ elliptic-6.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.10
Step up your Open Source Security Game with Mend here
CVE-2019-10744 - High Severity Vulnerability
Vulnerable Library - lodash.template-3.6.2.tgz
The modern build of lodashโs `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash.template/package.json
Dependency Hierarchy:
karma-remap-istanbul-0.6.0.tgz (Root Library)
remap-istanbul-0.9.6.tgz
gulp-util-3.0.7.tgz
โ lodash.template-3.6.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Step up your Open Source Security Game with Mend here
WS-2020-0443 - High Severity Vulnerability
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/socket.io/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
โ socket.io-2.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.4.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /node_modules/selenium-webdriver/lib/test/data/droppableItems.html
Path to vulnerable library: /node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
โ jquery-1.4.4.min.js (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with Mend here
WS-2020-0127 - Medium Severity Vulnerability
Vulnerable Library - npm-registry-fetch-4.0.4.tgz
Fetch-based http client for use with npm registry APIs
Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-4.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm-registry-fetch/package.json
Dependency Hierarchy:
cli-9.1.5.tgz (Root Library)
pacote-9.5.12.tgz
โ npm-registry-fetch-4.0.4.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.
Publish Date: 2020-07-07
URL: WS-2020-0127
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1544
Release Date: 2020-07-07
Fix Resolution (npm-registry-fetch): 4.0.5
Direct dependency fix Resolution (@angular/cli): 9.1.6
Step up your Open Source Security Game with Mend here
CVE-2021-31597 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
socket.io-2.1.1.tgz
socket.io-client-2.1.1.tgz
engine.io-client-3.2.1.tgz
โ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-28498 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
webpack-4.42.0.tgz
node-libs-browser-2.2.1.tgz
crypto-browserify-3.12.0.tgz
browserify-sign-4.2.0.tgz
โ elliptic-6.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.10
Step up your Open Source Security Game with Mend here
CVE-2021-23434 - High Severity Vulnerability
Vulnerable Libraries - object-path-0.9.2.tgz , object-path-0.11.4.tgz
object-path-0.9.2.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
eazy-logger-3.0.2.tgz
tfunk-3.1.0.tgz
โ object-path-0.9.2.tgz (Vulnerable Library)
object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@wessberg/ts-evaluator/node_modules/object-path/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
guess-parser-0.4.18.tgz
ts-evaluator-0.0.25.tgz
โ object-path-0.11.4.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto ' returns false if currentPath is ['proto ']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
CVSS 3 Score Details (8.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-27292 - High Severity Vulnerability
Vulnerable Libraries - ua-parser-js-0.7.21.tgz , ua-parser-js-0.7.17.tgz
ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
โ ua-parser-js-0.7.21.tgz (Vulnerable Library)
ua-parser-js-0.7.17.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
โ ua-parser-js-0.7.17.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.25
Direct dependency fix Resolution (karma): 6.0.0
Fix Resolution (ua-parser-js): 0.7.25
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Libraries - yargs-parser-10.1.0.tgz , yargs-parser-4.2.1.tgz , yargs-parser-8.1.0.tgz , yargs-parser-11.1.1.tgz
yargs-parser-10.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/conventional-recommended-bump/node_modules/yargs-parser/package.json
Dependency Hierarchy:
standard-version-8.0.0.tgz (Root Library)
git-semver-tags-3.0.1.tgz
meow-5.0.0.tgz
โ yargs-parser-10.1.0.tgz (Vulnerable Library)
yargs-parser-4.2.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browser-sync/node_modules/yargs-parser/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
yargs-6.4.0.tgz
โ yargs-parser-4.2.1.tgz (Vulnerable Library)
yargs-parser-8.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-8.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@ngx-translate/i18n-polyfill/node_modules/yargs-parser/package.json
Dependency Hierarchy:
i18n-polyfill-1.0.0.tgz (Root Library)
yargs-10.0.3.tgz
โ yargs-parser-8.1.0.tgz (Vulnerable Library)
yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs-parser/package.json
Dependency Hierarchy:
protractor-5.4.4.tgz (Root Library)
yargs-12.0.5.tgz
โ yargs-parser-11.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto " payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (standard-version): 8.0.1
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (protractor): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7765 - Medium Severity Vulnerability
Vulnerable Library - util-0.2.46.tgz
_NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package_
Library home page: https://registry.npmjs.org/@firebase/util/-/util-0.2.46.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@firebase/util/package.json
Dependency Hierarchy:
firebase-7.14.3.tgz (Root Library)
โ util-0.2.46.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
Publish Date: 2020-11-16
URL: CVE-2020-7765
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7765
Release Date: 2020-11-16
Fix Resolution (@firebase/util): 0.3.3-2020922203858
Direct dependency fix Resolution (firebase): 7.14.4-canary.76726387
Step up your Open Source Security Game with Mend here
CVE-2020-7733 - High Severity Vulnerability
Vulnerable Libraries - ua-parser-js-0.7.21.tgz , ua-parser-js-0.7.17.tgz
ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
โ ua-parser-js-0.7.21.tgz (Vulnerable Library)
ua-parser-js-0.7.17.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
โ ua-parser-js-0.7.17.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (karma): 5.2.3
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
WS-2019-0424 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
webpack-4.42.0.tgz
node-libs-browser-2.2.1.tgz
crypto-browserify-3.12.0.tgz
browserify-sign-4.2.0.tgz
โ elliptic-6.5.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Adjacent
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.10
Step up your Open Source Security Game with Mend here
CVE-2020-15168 - Medium Severity Vulnerability
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
firebase-7.14.3.tgz (Root Library)
functions-0.4.43.tgz
isomorphic-fetch-2.2.1.tgz
โ node-fetch-1.7.3.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution (node-fetch): 2.6.1
Direct dependency fix Resolution (firebase): 7.21.0-canary.0a1181b18
Step up your Open Source Security Game with Mend here
CVE-2020-7793 - High Severity Vulnerability
Vulnerable Libraries - ua-parser-js-0.7.21.tgz , ua-parser-js-0.7.17.tgz
ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/karma/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
โ ua-parser-js-0.7.21.tgz (Vulnerable Library)
ua-parser-js-0.7.17.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ua-parser-js/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
โ ua-parser-js-0.7.17.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).
Publish Date: 2020-12-11
URL: CVE-2020-7793
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-11
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (karma): 6.0.0
Fix Resolution (ua-parser-js): 0.7.23
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7720 - High Severity Vulnerability
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
webpack-dev-server-3.11.0.tgz
selfsigned-1.10.7.tgz
โ node-forge-0.9.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.10
Step up your Open Source Security Game with Mend here
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
localtunnel-1.9.2.tgz
โ axios-0.19.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - qs-6.2.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: angular/package.json
Path to vulnerable library: angular/node_modules/browser-sync/node_modules/qs/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
โ qs-6.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000048
Release Date: 2017-07-17
Fix Resolution: 6.0.4,6.1.2,6.2.3,6.3.2
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23364 - Medium Severity Vulnerability
Vulnerable Library - browserslist-4.12.0.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
build-angular-0.901.9.tgz (Root Library)
โ browserslist-4.12.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.10
Step up your Open Source Security Game with Mend here
WS-2020-0091 - High Severity Vulnerability
Vulnerable Libraries - http-proxy-1.18.0.tgz , http-proxy-1.15.2.tgz
http-proxy-1.18.0.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-proxy/package.json
Dependency Hierarchy:
http-server-0.12.3.tgz (Root Library)
โ http-proxy-1.18.0.tgz (Vulnerable Library)
http-proxy-1.15.2.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browser-sync/node_modules/http-proxy/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
โ http-proxy-1.15.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (http-server): 0.13.0
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
custom-webpack-9.1.0.tgz (Root Library)
โ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@angular-builders/custom-webpack): 9.2.0
Step up your Open Source Security Game with Mend here
CVE-2020-8244 - Medium Severity Vulnerability
Vulnerable Library - bl-4.0.2.tgz
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-4.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bl/package.json
Dependency Hierarchy:
puppeteer-3.0.4.tgz (Root Library)
tar-fs-2.1.0.tgz
tar-stream-2.1.2.tgz
โ bl-4.0.2.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: 2020-08-30
Fix Resolution (bl): 4.0.3
Direct dependency fix Resolution (puppeteer): 3.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-7774 - High Severity Vulnerability
Vulnerable Libraries - y18n-4.0.0.tgz , y18n-3.2.1.tgz
y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
compiler-cli-9.1.6.tgz (Root Library)
yargs-15.3.0.tgz
โ y18n-4.0.0.tgz (Vulnerable Library)
y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grpc/node_modules/y18n/package.json
Dependency Hierarchy:
grpc-1.24.2.tgz (Root Library)
protobufjs-5.0.3.tgz
yargs-3.32.0.tgz
โ y18n-3.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (@angular/compiler-cli): 9.1.7
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (grpc): 1.24.3
Step up your Open Source Security Game with Mend here
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Library - axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
builders-9.1.1.tgz (Root Library)
browser-sync-2.26.7.tgz
localtunnel-1.9.2.tgz
โ axios-0.19.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.20.0
Direct dependency fix Resolution (@nguniversal/builders): 10.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Libraries - minimist-0.0.8.tgz , minimist-1.2.0.tgz
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grpc/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
grpc-1.24.2.tgz (Root Library)
node-pre-gyp-0.14.0.tgz
mkdirp-0.5.1.tgz
โ minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grpc/node_modules/minimist/package.json
Dependency Hierarchy:
grpc-1.24.2.tgz (Root Library)
node-pre-gyp-0.14.0.tgz
rc-1.2.8.tgz
โ minimist-1.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (grpc): 1.24.3
Fix Resolution (minimist): 1.2.3
Direct dependency fix Resolution (grpc): 1.24.3
Step up your Open Source Security Game with Mend here
CVE-2020-36048 - High Severity Vulnerability
Vulnerable Library - engine.io-3.2.1.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
karma-5.0.5.tgz (Root Library)
socket.io-2.1.1.tgz
โ engine.io-3.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 43d95e97ba66484d95188f43549075b32ea5ff49
Found in base branch: master
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (karma): 6.0.0
Step up your Open Source Security Game with Mend here