MichMich/MagicMirror

The open source modular smart mirror platform.
Vulnerabilities 12 via 12 paths
Dependencies 323
Source GitHub
Commit 20823bfc

Snyk continuously finds and fixes vulnerabilities in your dependencies.

Filter by issue type
  • 4
  • 5
  • 3
Filter by issue policy
  • 0
  • 0
high severity

Arbitrary Code Execution

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.14.

Overview

electron is a framework that lets you write cross-platform desktop applications.

An arbitrary code execution vulnerability was discovered in Google Chromium, affecting many versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled.

Remediation

Upgrade electron to version 1.6.14, 1.7.8 or higher.

References

high severity

Arbitrary Code Injection

  • Vulnerable module: growl
  • Introduced through: mocha-logger@1.0.5

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 mocha-logger@1.0.5 mocha@3.5.3 growl@1.9.2

Overview

growl is a package adding Growl support for Nodejs.

Affected versions of the package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.

Remediation

Upgrade growl to version 1.10.0 or higher.

References

high severity

Directory Traversal

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.16.

Overview

electron is a framework that lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Electron apps running on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

Note: MacOS and Linux are not affected by this vulnerability.

Remediation

Upgrade electron to version 1.6.16 or higher.

References

high severity

Uninitialized Memory Exposure

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.1.

Overview

electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.

Affected versions of the package are vulnerable to Uninitialized Memory Exposure. The Buffer class in Node.js is available as global, even if the nodeintegration attribute is not added. This could result in concatenation of uninitialized memory to the buffer collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

Remediation

Upgrade electron to version 1.6.1 or higher.

References

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.8.

Overview

electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. A new window opened from within a window that had javascript disabled, would have javascript enabled by default.

You can read more about Cross-site Scripting (XSS) on our blog.

Remediation

Upgrade electron to version 1.6.8 or higher.

References

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.8.

Overview

electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks.

When using user input to perform tasks on the server, characters like \< > \" \' must escaped properly. Otherwise, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template.

You can read more about Cross-site Scripting (XSS) on our blog.

Remediation

Upgrade electron to version 1.6.8 or higher.

References

medium severity

Denial of Service (DoS)

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.8.

Overview

electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.

Affected versions of the package are vulnerable to Denial of Service (DoS). Valid frame names passed into window.open would throw errors and cause the service to crash.

Remediation

Upgrade electron to version 1.6.8 or higher.

References

medium severity

Denial of Service (DoS)

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.8.

Overview

electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.

Affected versions of the package are vulnerable to Denial of Service (DoS). When specifying webPreferences in the features parameter to the window.open function, it would throw an error in the main process and cause the service to crash.

Remediation

Upgrade electron to version 1.6.8 or higher.

References

medium severity

URL Spoofing

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.7.6.

Overview

Electron is a framework that lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected version of this package are vulnerable to URL Spoofing, when opening PDFs in PDFium resulting loading arbitrary PDFs that a hacker can control.

Remediation

Upgrade Electron to version 1.7.6 or higher.

References

low severity

Denial of Service (DoS)

  • Vulnerable module: electron
  • Introduced through: electron@1.4.15

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 electron@1.4.15
    Remediation: Upgrade to electron@1.6.8.

Overview

electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.

Affected versions of the package are vulnerable to Denial of Service (DoS). Certain built-in window APIs like alert, confirm, open, history.go, and postMessage would throw errors in the main process instead of the renderer processes when the arguments were invalid, causing the service to crash.

Remediation

Upgrade electron to version 1.6.8 or higher.

References

low severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: express-ipfilter@0.3.1

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 express-ipfilter@0.3.1 lodash@3.10.1

Overview

lodash is a javaScript utility library delivering modularity, performance & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property.

PoC by Olivier Arteau (HoLyVieR)

var _= require('lodash');
        var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
        
        var a = {};
        console.log("Before : " + a.oops);
        _.merge({}, JSON.parse(malicious_payload));
        console.log("After : " + a.oops);
        

Remediation

Upgrade lodash to version 4.17.5 or higher.

References

low severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: debug
  • Introduced through: mocha-logger@1.0.5

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#20823bfc87f387b3d29a30815da9d72e6300c0a9 mocha-logger@1.0.5 mocha@3.5.3 debug@2.6.8
    Remediation: Run snyk wizard to patch debug@2.6.8.

Overview

debug is a JavaScript debugging utility modelled after Node.js core's debugging technique..

debug uses printf-style formatting. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks via the the %o formatter (Pretty-print an Object all on a single line). It used a regular expression (/\s*\n\s*/g) in order to strip whitespaces and replace newlines with spaces, in order to join the data into a single line. This can cause a very low impact of about 2 seconds matching time for data 50k characters long.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.

Remediation

Upgrade debug to version 2.6.9, 3.1.0 or higher.

References