yoswein / vexflow Goto Github PK

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.

Publish Date: 2017-04-15

URL: WS-2017-0195

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: jquery/jquery@d12e13d

Release Date: 2016-05-29

Fix Resolution: Replace or update the following files: attr.js, attributes.js

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

Publish Date: 2018-09-05

URL: CVE-2016-1000232

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: salesforce/tough-cookie@e4fc2e0

Release Date: 2016-07-21

Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

Tough-cookie is a cookie parsing and management library. Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.

Publish Date: 2016-07-22

URL: WS-2016-0035

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/130

Release Date: 2016-07-22

Fix Resolution: Upgrade to at least version 2.3.0

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js

path: /vexflow/node_modules/mime/package.json

Dependency Hierarchy:

• ❌ mime-1.3.4.tgz (Vulnerable Library)

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.

Publish Date: 2017-04-15

URL: WS-2017-0195

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: jquery/jquery@d12e13d

Release Date: 2016-05-29

Fix Resolution: Replace or update the following files: attr.js, attributes.js

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Type: Change files

Origin: jquery/jquery@05531fc#diff-bf0908d787469dbf983b3ed33447c516

Release Date: 2012-12-13

Fix Resolution: Replace or update the following files: selector.js, traversing.js, core.js, sizzle, core.js

path: /vexflow/node_modules/handlebars/package.json

Dependency Hierarchy:

• ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Quoteless Attributes in Templates can lead to Content Injection

Publish Date: 2015-12-14

URL: WS-2015-0003

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/61

Release Date: 2015-12-14

Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.

Publish Date: 2017-04-15

URL: WS-2017-0195

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: jquery/jquery@d12e13d

Release Date: 2016-05-29

Fix Resolution: Replace or update the following files: attr.js, attributes.js

path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.

Publish Date: 2016-06-20

URL: WS-2016-0030

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Updated to version 3.0.2 or greater

path: /vexflow/node_modules/hoek/package.json

Dependency Hierarchy:

• ❌ hoek-2.16.3.tgz (Vulnerable Library)

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Type: Change files

Origin: hapijs/hoek@623667e

Release Date: 2018-02-15

Fix Resolution: Replace or update the following files: index.js, index.js

path: /vexflow/node_modules/slimerjs/node_modules/request/package.json

Dependency Hierarchy:

• ❌ request-2.67.0.tgz (Vulnerable Library)

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Type: Change files

Origin: request/request@3d31d45

Release Date: 2016-01-19

Fix Resolution: Replace or update the following file: multipart.js

path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

path: /vexflow/node_modules/mime/package.json

Dependency Hierarchy:

• ❌ mime-1.3.4.tgz (Vulnerable Library)

The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Change files

Origin: broofa/mime@1df903f

Release Date: 2017-09-25

Fix Resolution: Replace or update the following file: Mime.js

path: /vexflow/node_modules/cryptiles/package.json

Dependency Hierarchy:

• ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

path: /vexflow/node_modules/slimerjs/node_modules/request/package.json

Dependency Hierarchy:

• ❌ request-2.67.0.tgz (Vulnerable Library)

There is a potential remote memory exposure vulnerability in request from version 2.2.5 before version 2.68.0. If the node process makes a request with a multipart attachment, and the type of the body option is a Number, then that many bytes of uninitialized memory will be sent in the body of the request.

Publish Date: 2016-03-22

URL: WS-2016-0025

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

path: /vexflow/node_modules/mime/package.json

Dependency Hierarchy:

• ❌ mime-1.3.4.tgz (Vulnerable Library)

The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Change files

Origin: broofa/mime@1df903f

Release Date: 2017-09-25

Fix Resolution: Replace or update the following file: Mime.js

path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.

Publish Date: 2016-06-20

URL: WS-2016-0030

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Updated to version 3.0.2 or greater

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

Publish Date: 2018-09-05

URL: CVE-2016-1000232

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: salesforce/tough-cookie@6156272

Release Date: 2016-07-21

Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js

path: /vexflow/node_modules/slimerjs/node_modules/concat-stream/package.json

Dependency Hierarchy:

• ❌ concat-stream-1.5.0.tgz (Vulnerable Library)

Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()

Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Publish Date: 2018-04-25

URL: WS-2018-0075

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

path: /vexflow/node_modules/hawk/package.json

Dependency Hierarchy:

• ❌ hawk-3.1.3.tgz (Vulnerable Library)

Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

Publish Date: 2016-04-13

URL: CVE-2016-2515

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/77

Release Date: 2016-01-19

Fix Resolution: Update to hawk version 4.1.1 or greater.

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: jquery/jquery@db9e023

Release Date: 2011-08-25

Fix Resolution: Replace or update the following files: core.js, core.js

path: /vexflow/node_modules/handlebars/node_modules/uglify-js/package.json

Dependency Hierarchy:

• ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Change files

Origin: salesforce/tough-cookie@98e0916

Release Date: 2017-09-21

Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: jquery/jquery@db9e023

Release Date: 2011-08-25

Fix Resolution: Replace or update the following files: core.js, core.js

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

Tough-cookie is a cookie parsing and management library. Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.

Publish Date: 2016-07-22

URL: WS-2016-0035

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/130

Release Date: 2016-07-22

Fix Resolution: Upgrade to at least version 2.3.0

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

Affected version of tough-cookie (2.3.2 and before), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-21

URL: WS-2017-0307

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: salesforce/tough-cookie@98e0916#diff-d721bcd439ec1bdd00213161a426ebd8

Release Date: 2017-09-21

Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: jquery/jquery@db9e023

Release Date: 2011-08-25

Fix Resolution: Replace or update the following files: core.js, core.js

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.

Publish Date: 2018-09-05

URL: CVE-2016-1000232

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: salesforce/tough-cookie@6156272

Release Date: 2016-07-21

Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js

path: /vexflow/node_modules/fileset/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.4.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Change files

Origin: salesforce/tough-cookie@98e0916

Release Date: 2017-09-21

Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js

path: /vexflow/docs/index.html

Dependency Hierarchy:

• ❌ jquery-2.1.0.min.js (Vulnerable Library)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js

path: /vexflow/node_modules/open/package.json

Dependency Hierarchy:

• ❌ open-0.0.5.tgz (Vulnerable Library)

All versions of open are vulnerable to command injection when unsanitized user input is passed in.

Publish Date: 2018-05-16

URL: WS-2018-0107

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/663

Release Date: 2018-05-16

Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Type: Change files

Origin: jquery/jquery@05531fc#diff-bf0908d787469dbf983b3ed33447c516

Release Date: 2012-12-13

Fix Resolution: Replace or update the following files: selector.js, traversing.js, core.js, sizzle, core.js

path: /vexflow/node_modules/mime/package.json

Dependency Hierarchy:

• ❌ mime-1.3.4.tgz (Vulnerable Library)

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

path: /vexflow/node_modules/mime/package.json

Dependency Hierarchy:

• ❌ mime-1.3.4.tgz (Vulnerable Library)

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js

path: /vexflow/node_modules/utile/package.json

Dependency Hierarchy:

• ❌ utile-0.2.1.tgz (Vulnerable Library)

utile allocates uninitialized Buffers when number is passed in input.
Before version 0.3.0

Publish Date: 2018-07-16

URL: WS-2018-0148

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

path: /vexflow/node_modules/mime/package.json

Dependency Hierarchy:

• ❌ mime-1.3.4.tgz (Vulnerable Library)

The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Change files

Origin: broofa/mime@1df903f

Release Date: 2017-09-25

Fix Resolution: Replace or update the following file: Mime.js

path: /vexflow/src/transform.html

Dependency Hierarchy:

• ❌ jquery-1.4.4.min.js (Vulnerable Library)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Type: Change files

Origin: jquery/jquery@05531fc

Release Date: 2012-12-13

Fix Resolution: Replace or update the following files: selector.js, traversing.js, core.js, sizzle, core.js

path: /vexflow/node_modules/slimerjs/node_modules/tunnel-agent/package.json

Dependency Hierarchy:

• ❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2018-04-25

URL: WS-2018-0076

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

path: /vexflow/docs/index.html

Dependency Hierarchy:

• ❌ jquery-2.1.0.min.js (Vulnerable Library)

In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.

Publish Date: 2017-04-15

URL: WS-2017-0195

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Change files

Origin: jquery/jquery@d12e13d

Release Date: 2016-05-29

Fix Resolution: Replace or update the following files: attr.js, attributes.js

path: /vexflow/node_modules/jscs/node_modules/lodash/package.json

Dependency Hierarchy:

• ❌ lodash-3.10.1.tgz (Vulnerable Library)

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3721

Fix Resolution: Upgrade to version lodash 4.17.5 or greater

path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• ❌ tough-cookie-2.2.2.tgz (Vulnerable Library)

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Change files

Origin: salesforce/tough-cookie@98e0916

Release Date: 2017-09-21

Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js

path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

path: /vexflow/node_modules/handlebars/node_modules/uglify-js/package.json

Dependency Hierarchy:

• ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-08-24

URL: WS-2015-0024

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/39

Release Date: 2015-08-24

Fix Resolution: Upgrade UglifyJS to version >= 2.4.24.

path: /vexflow/node_modules/fileset/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.4.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.

Publish Date: 2016-06-20

URL: WS-2016-0030

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Updated to version 3.0.2 or greater

path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

• ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.

Publish Date: 2016-06-20

URL: WS-2016-0030

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Updated to version 3.0.2 or greater