yoswein / vexflow Goto Github PK
View Code? Open in Web Editor NEWThis project forked from 0xfe/vexflow
A JavaScript library for rendering music notation and guitar tablature.
Home Page: http://www.vexflow.com
License: Other
This project forked from 0xfe/vexflow
A JavaScript library for rendering music notation and guitar tablature.
Home Page: http://www.vexflow.com
License: Other
path: /vexflow/src/transform.html
Dependency Hierarchy:
In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.
Publish Date: 2017-04-15
URL: WS-2017-0195
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@d12e13d
Release Date: 2016-05-29
Fix Resolution: Replace or update the following files: attr.js, attributes.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Publish Date: 2018-09-05
URL: CVE-2016-1000232
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@e4fc2e0
Release Date: 2016-07-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Tough-cookie is a cookie parsing and management library. Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.
Publish Date: 2016-07-22
URL: WS-2016-0035
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/130
Release Date: 2016-07-22
Fix Resolution: Upgrade to at least version 2.3.0
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419
Release Date: 2015-10-12
Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/mime/package.json
Dependency Hierarchy:
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.
Publish Date: 2017-04-15
URL: WS-2017-0195
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@d12e13d
Release Date: 2016-05-29
Fix Resolution: Replace or update the following files: attr.js, attributes.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419
Release Date: 2015-10-12
Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@05531fc#diff-bf0908d787469dbf983b3ed33447c516
Release Date: 2012-12-13
Fix Resolution: Replace or update the following files: selector.js, traversing.js, core.js, sizzle, core.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/handlebars/package.json
Dependency Hierarchy:
Quoteless Attributes in Templates can lead to Content Injection
Publish Date: 2015-12-14
URL: WS-2015-0003
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/61
Release Date: 2015-12-14
Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.
Publish Date: 2017-04-15
URL: WS-2017-0195
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@d12e13d
Release Date: 2016-05-29
Fix Resolution: Replace or update the following files: attr.js, attributes.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.
Publish Date: 2016-06-20
URL: WS-2016-0030
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Updated to version 3.0.2 or greater
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/hoek/package.json
Dependency Hierarchy:
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
Base Score Metrics:
Type: Change files
Origin: hapijs/hoek@623667e
Release Date: 2018-02-15
Fix Resolution: Replace or update the following files: index.js, index.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/request/package.json
Dependency Hierarchy:
Request is an http client. If a request is made using multipart
, and the body type is a number
, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.
Publish Date: 2018-06-04
URL: CVE-2017-16026
Base Score Metrics:
Type: Change files
Origin: request/request@3d31d45
Release Date: 2016-01-19
Fix Resolution: Replace or update the following file: multipart.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/mime/package.json
Dependency Hierarchy:
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Type: Change files
Origin: broofa/mime@1df903f
Release Date: 2017-09-25
Fix Resolution: Replace or update the following file: Mime.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/cryptiles/package.json
Dependency Hierarchy:
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/request/package.json
Dependency Hierarchy:
There is a potential remote memory exposure vulnerability in request from version 2.2.5 before version 2.68.0. If the node process makes a request with a multipart attachment, and the type of the body option is a Number, then that many bytes of uninitialized memory will be sent in the body of the request.
Publish Date: 2016-03-22
URL: WS-2016-0025
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/mime/package.json
Dependency Hierarchy:
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Type: Change files
Origin: broofa/mime@1df903f
Release Date: 2017-09-25
Fix Resolution: Replace or update the following file: Mime.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.
Publish Date: 2016-06-20
URL: WS-2016-0030
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Updated to version 3.0.2 or greater
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Publish Date: 2018-09-05
URL: CVE-2016-1000232
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@6156272
Release Date: 2016-07-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/concat-stream/package.json
Dependency Hierarchy:
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Publish Date: 2018-04-25
URL: WS-2018-0075
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/hawk/package.json
Dependency Hierarchy:
Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.
Publish Date: 2016-04-13
URL: CVE-2016-2515
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/77
Release Date: 2016-01-19
Fix Resolution: Update to hawk version 4.1.1 or greater.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@db9e023
Release Date: 2011-08-25
Fix Resolution: Replace or update the following files: core.js, core.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/handlebars/node_modules/uglify-js/package.json
Dependency Hierarchy:
Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
Publish Date: 2015-10-24
URL: WS-2015-0017
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/48
Release Date: 2015-10-24
Fix Resolution: Update to version 2.6.0 or later
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@98e0916
Release Date: 2017-09-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@db9e023
Release Date: 2011-08-25
Fix Resolution: Replace or update the following files: core.js, core.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Tough-cookie is a cookie parsing and management library. Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.
Publish Date: 2016-07-22
URL: WS-2016-0035
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/130
Release Date: 2016-07-22
Fix Resolution: Upgrade to at least version 2.3.0
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Affected version of tough-cookie (2.3.2 and before), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-21
URL: WS-2017-0307
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@98e0916#diff-d721bcd439ec1bdd00213161a426ebd8
Release Date: 2017-09-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@db9e023
Release Date: 2011-08-25
Fix Resolution: Replace or update the following files: core.js, core.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
Publish Date: 2018-09-05
URL: CVE-2016-1000232
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@6156272
Release Date: 2016-07-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@98e0916
Release Date: 2017-09-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/docs/index.html
Dependency Hierarchy:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419
Release Date: 2015-10-12
Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/open/package.json
Dependency Hierarchy:
All versions of open are vulnerable to command injection when unsanitized user input is passed in.
Publish Date: 2018-05-16
URL: WS-2018-0107
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/663
Release Date: 2018-05-16
Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@05531fc#diff-bf0908d787469dbf983b3ed33447c516
Release Date: 2012-12-13
Fix Resolution: Replace or update the following files: selector.js, traversing.js, core.js, sizzle, core.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/mime/package.json
Dependency Hierarchy:
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/mime/package.json
Dependency Hierarchy:
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419
Release Date: 2015-10-12
Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/utile/package.json
Dependency Hierarchy:
utile
allocates uninitialized Buffers when number is passed in input.
Before version 0.3.0
Publish Date: 2018-07-16
URL: WS-2018-0148
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/mime/package.json
Dependency Hierarchy:
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Type: Change files
Origin: broofa/mime@1df903f
Release Date: 2017-09-25
Fix Resolution: Replace or update the following file: Mime.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/src/transform.html
Dependency Hierarchy:
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@05531fc
Release Date: 2012-12-13
Fix Resolution: Replace or update the following files: selector.js, traversing.js, core.js, sizzle, core.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.
This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2018-04-25
URL: WS-2018-0076
Base Score Metrics:
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/docs/index.html
Dependency Hierarchy:
In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.
Publish Date: 2017-04-15
URL: WS-2017-0195
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@d12e13d
Release Date: 2016-05-29
Fix Resolution: Replace or update the following files: attr.js, attributes.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/jscs/node_modules/lodash/package.json
Dependency Hierarchy:
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3721
Fix Resolution: Upgrade to version lodash 4.17.5 or greater
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/slimerjs/node_modules/tough-cookie/package.json
Dependency Hierarchy:
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
Base Score Metrics:
Type: Change files
Origin: salesforce/tough-cookie@98e0916
Release Date: 2017-09-21
Fix Resolution: Replace or update the following files: parsing_test.js, cookie.js
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/handlebars/node_modules/uglify-js/package.json
Dependency Hierarchy:
UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.
Publish Date: 2015-08-24
URL: WS-2015-0024
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/39
Release Date: 2015-08-24
Fix Resolution: Upgrade UglifyJS to version >= 2.4.24.
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.
Publish Date: 2016-06-20
URL: WS-2016-0030
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Updated to version 3.0.2 or greater
Want to learn more about the open source vulnerabilities in your products? Click here
path: /vexflow/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.
Publish Date: 2016-06-20
URL: WS-2016-0030
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Updated to version 3.0.2 or greater
Want to learn more about the open source vulnerabilities in your products? Click here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.