yoswein / webgoat_2.0 Goto Github PK

Vulnerable Libraries - tar-2.2.1.tgz, tar-4.4.1.tgz

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (gulp-sass): 4.1.0

Fix Resolution (tar): 4.4.2

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-06-04

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.

Publish Date: 2018-12-04

URL: CVE-2018-19837

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-12-04

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 4.1.0

Vulnerable Libraries - lodash.mergewith-4.6.1.tgz, lodash.template-4.4.0.tgz, lodash-4.17.11.tgz, lodash-4.17.10.tgz

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.mergewith): 4.6.2

Direct dependency fix Resolution (gulp-sass): 4.1.0

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (gulp-header): 2.0.8

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (browser-sync): 2.26.4

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (gulp-uglify): 3.0.2

Vulnerable Library - postcss-7.0.2.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/postcss/package.json

Dependency Hierarchy:

• gulp-autoprefixer-6.0.0.tgz (Root Library)
  • ❌ postcss-7.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (gulp-autoprefixer): 6.1.0

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-05-26

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 4.1.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/kind-of/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • chokidar-2.0.4.tgz
    • anymatch-2.0.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-03

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797

Release Date: 2019-11-08

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 4.1.0

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2019-07-23

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (browser-sync): 2.26.4

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/path-parse/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • liftoff-2.5.0.tgz
      • resolve-1.9.0.tgz
        • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Libraries - bootstrap-4.2.1.tgz, bootstrap-3.1.1.min.js

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: 4.3.1

Vulnerable Library - ua-parser-js-0.7.17.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • ❌ ua-parser-js-0.7.17.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (browser-sync): 2.26.9

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2020-08-24

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - bootstrap-3.1.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js

Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/target/classes/static/plugins/bootstrap/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/plugins/bootstrap/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ini/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • liftoff-2.5.0.tgz
      • findup-sync-2.0.0.tgz
        • resolve-dir-1.0.1.tgz
          • global-modules-1.0.0.tgz
            • global-prefix-1.0.2.tgz
              • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Libraries - jquery-2.1.4.min.js, jquery-2.2.3.js

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11695

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: sass/libsass#2664

Release Date: 2018-06-04

Fix Resolution: node-sass - 4.9.0

Vulnerable Libraries - jquery-3.3.1.tgz, jquery-3.4.1.min.js, jquery-2.1.4.min.js, jquery-2.2.3.js

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: 3.5.0

Vulnerable Library - ua-parser-js-0.7.17.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • ❌ ua-parser-js-0.7.17.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: 2020-12-11

URL: CVE-2020-7793

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: faisalman/ua-parser-js@6d1f26d

Release Date: 2020-12-11

Fix Resolution (ua-parser-js): 0.7.23

Direct dependency fix Resolution (browser-sync): 2.26.9

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/gulp-uglify/node_modules/lodash/package.json

Dependency Hierarchy:

• gulp-uglify-3.0.1.tgz (Root Library)
  • ❌ lodash-4.17.10.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (gulp-uglify): 3.0.2

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11696

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-06-04

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 4.1.0

Vulnerable Library - lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/gulp-uglify/node_modules/lodash/package.json

Dependency Hierarchy:

• gulp-uglify-3.0.1.tgz (Root Library)
  • ❌ lodash-4.17.10.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2020-09-30

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (gulp-uglify): 3.0.2

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Publish Date: 2021-01-11

URL: CVE-2020-24025

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-24025

Release Date: 2021-01-11

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - axios-0.17.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.17.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/axios/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • localtunnel-1.9.1.tgz
    • ❌ axios-0.17.1.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: axios/axios@c7329fe

Release Date: 2020-11-06

Fix Resolution (axios): 0.21.1

Direct dependency fix Resolution (browser-sync): 2.26.9

Vulnerable Library - chownr-1.0.1.tgz

like `chown -R`

Library home page: https://registry.npmjs.org/chownr/-/chownr-1.0.1.tgz

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • chokidar-2.0.4.tgz
    • fsevents-1.2.4.tgz
      • node-pre-gyp-0.10.0.tgz
        • tar-4.4.1.tgz
          • ❌ chownr-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

Publish Date: 2020-06-15

URL: CVE-2017-18869

CVSS 3 Score Details (2.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869

Release Date: 2020-06-15

Fix Resolution (chownr): 1.1.0

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-06-04

Fix Resolution (node-sass): 4.14.0

Direct dependency fix Resolution (gulp-sass): 4.1.0

Vulnerable Library - underscore-min-1.10.2.js

JavaScript's functional programming helper library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.10.2/underscore-min.js

Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/underscore-min.js,/webgoat-container/target/classes/static/js/libs/underscore-min.js

Dependency Hierarchy:

• ❌ underscore-min-1.10.2.js (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution: underscore - 1.12.1,1.13.0-2

Vulnerable Library - bootstrap-3.1.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js

Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/target/classes/static/plugins/bootstrap/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/plugins/bootstrap/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Vulnerable Libraries - lodash-4.17.11.tgz, lodash-4.17.10.tgz

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (browser-sync): 2.26.4

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (gulp-uglify): 3.0.2

Vulnerable Library - socket.io-2.1.1.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/socket.io/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • ❌ socket.io-2.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Publish Date: 2021-01-19

URL: CVE-2020-28481

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481

Release Date: 2021-01-19

Fix Resolution (socket.io): 2.4.0

Direct dependency fix Resolution (browser-sync): 2.26.14-y.1

Vulnerable Libraries - jquery-3.3.1.tgz, jquery-3.4.1.min.js, jquery-2.1.4.min.js, jquery-2.2.3.js

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: 3.5.0

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-04

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • chokidar-2.0.4.tgz
    • braces-2.3.2.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-12-04

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - axios-0.17.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.17.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/axios/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • localtunnel-1.9.1.tgz
    • ❌ axios-0.17.1.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: axios/axios#1098

Release Date: 2019-05-07

Fix Resolution (axios): 0.18.1

Direct dependency fix Resolution (browser-sync): 2.26.6

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-10-29

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (browser-sync): 2.26.4

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.5.5

Release Date: 2018-06-04

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - object-path-0.9.2.tgz

Access deep properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/object-path/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • eazy-logger-3.0.2.tgz
    • tfunk-3.1.0.tgz
      • ❌ object-path-0.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Libraries - jquery-3.3.1.tgz, jquery-2.1.4.min.js, jquery-2.2.3.js

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Library - ua-parser-js-0.7.17.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • ❌ ua-parser-js-0.7.17.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: 2021-03-17

URL: CVE-2021-27292

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/faisalman/ua-parser-js/releases/tag/0.7.24

Release Date: 2021-03-17

Fix Resolution (ua-parser-js): 0.7.24

Direct dependency fix Resolution (browser-sync): 2.26.9

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • browser-sync-ui-2.26.2.tgz
    • socket.io-client-2.2.0.tgz
      • engine.io-client-3.3.1.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (browser-sync): 2.26.14-y.1

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • browser-sync-ui-2.26.2.tgz
    • socket.io-client-2.2.0.tgz
      • engine.io-client-3.3.1.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

CVSS 3 Score Details (9.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (browser-sync): 2.26.14-y.1

Vulnerable Libraries - lodash-4.17.11.tgz, lodash-4.17.10.tgz

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (browser-sync): 2.26.4

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (gulp-uglify): 3.0.2

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/y18n/package.json

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • yargs-6.4.0.tgz
    • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (browser-sync): 2.26.4

Vulnerable Libraries - lodash-4.17.11.tgz, lodash-4.17.10.tgz

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (browser-sync): 2.26.4

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (gulp-uglify): 3.0.2

Vulnerable Library - copy-props-2.0.4.tgz

Copy properties deeply between two objects.

Library home page: https://registry.npmjs.org/copy-props/-/copy-props-2.0.4.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/copy-props/package.json

Dependency Hierarchy:

• gulp-4.0.0.tgz (Root Library)
  • gulp-cli-2.0.1.tgz
    • ❌ copy-props-2.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.

Publish Date: 2021-03-23

URL: CVE-2020-28503

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/copy-props/releases/tag/2.0.5

Release Date: 2021-03-23

Fix Resolution (copy-props): 2.0.5

Direct dependency fix Resolution (gulp): 4.0.1

Vulnerable Library - node-sass-4.11.0.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-4.11.0.tgz

Dependency Hierarchy:

• gulp-sass-4.0.2.tgz (Root Library)
  • ❌ node-sass-4.11.0.tgz (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sass/libsass/releases/tag/3.6.0

Release Date: 2018-12-03

Fix Resolution (node-sass): 5.0.0

Direct dependency fix Resolution (gulp-sass): 5.0.0

Vulnerable Library - bootstrap-3.1.1.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js

Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/target/classes/static/plugins/bootstrap/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/plugins/bootstrap/js/bootstrap.min.js

Dependency Hierarchy:

• ❌ bootstrap-3.1.1.min.js (Vulnerable Library)

Found in HEAD commit: 4d038f6521e1205e037211e7c3dcc92a82448d22

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0