jsgiven/jsgiven:js-given/package.json

JavaScript frontend to jgiven.
Vulnerabilities 12 via 3 paths
Dependencies 359
Source GitHub

Snyk continuously finds and fixes vulnerabilities in your dependencies.

Filter by issue type
  • 4
  • 6
  • 2
Filter by issue policy
  • 3
  • 7
high severity
patched

Content & Code Injection (XSS)

  • Vulnerable module: marked
  • Introduced through: jgiven-html-app@0.16.2

Vulnerability patched for: jgiven-html-app modernizr marked

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 modernizr@3.3.1 marked@0.3.5
    Remediation: Run snyk wizard to patch marked@0.3.5.
high severity
ignored

Cross-site Scripting (XSS)

  • Vulnerable module: marked
  • Introduced through: jgiven-html-app@0.16.2
  • Ignored path

    jgiven-html-app › modernizr › marked

  • Expires

    in a year

Reason

: JsGiven's report is a static website, XSS is not an issue.

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 modernizr@3.3.1 marked@0.3.5
high severity
patched

Cross-site Scripting (XSS) via Data URIs

  • Vulnerable module: marked
  • Introduced through: jgiven-html-app@0.16.2

Vulnerability patched for: jgiven-html-app modernizr marked

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 modernizr@3.3.1 marked@0.3.5
    Remediation: Run snyk wizard to patch marked@0.3.5.
high severity
ignored

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: marked
  • Introduced through: jgiven-html-app@0.16.2
  • Ignored path

    jgiven-html-app › modernizr › marked

  • Expires

    in 2 years

Reason

: JsGiven's report is a static website, it's not subject to DOS attacks.

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 modernizr@3.3.1 marked@0.3.5
    Remediation: Run snyk wizard to patch marked@0.3.5.
medium severity
ignored

Content Security Policy (CSP) Bypass

  • Vulnerable module: angular
  • Introduced through: jgiven-html-app@0.16.2
  • Ignored path

    jgiven-html-app › angular

  • Expires

    in 2 years

Reason

: JsGiven's report is a static website, XSS is not an issue.

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 angular@1.5.8
medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: angular
  • Introduced through: jgiven-html-app@0.16.2

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 angular@1.5.8

Overview

angularjs is a toolset for building the framework suited to your application development.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through SVG files if enableSvg is set.

Details

Cross-Site Scripting (XSS) attacks occur when an attacker tricks a user’s browser to execute malicious JavaScript code in the context of a victim’s domain. Such scripts can steal the user’s session cookies for the domain, scrape or modify its content, and perform or modify actions on the user’s behalf, actions typically blocked by the browser’s Same Origin Policy.

These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like \< > \" \' are not escaped properly.

There are a few types of XSS:

  • Persistent XSS is an attack in which the malicious code persists into the web app’s database.
  • Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
  • DOM-based XSS is an that occurs purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page. DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.

Remediation

Upgrade angular to version 1.6.9 or higher.

References

medium severity
ignored

Cross-site Scripting (XSS)

  • Vulnerable module: angular
  • Introduced through: jgiven-html-app@0.16.2
  • Ignored path

    jgiven-html-app › angular

  • Expires

    in a year

Reason

: JsGiven's report is a static website, XSS is not an issue.

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 angular@1.5.8
medium severity
ignored

Cross-site Scripting (XSS)

  • Vulnerable module: foundation-sites
  • Introduced through: jgiven-html-app@0.16.2

Reason

: JsGiven's report is a static website, XSS is not an issue.

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 foundation-sites@5.5.3
medium severity
ignored

Cross-site Scripting (XSS)

  • Vulnerable module: marked
  • Introduced through: jgiven-html-app@0.16.2
  • Ignored path

    jgiven-html-app › modernizr › marked

  • Expires

    in a year

Reason

: JsGiven's report is a static website, XSS is not an issue.

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 modernizr@3.3.1 marked@0.3.5
medium severity
ignored

JSONP Callback Attack

  • Vulnerable module: angular
  • Introduced through: jgiven-html-app@0.16.2
  • Ignored path

    jgiven-html-app › angular

  • Expires

    in 2 years

Reason

: JsGiven's report is a static website, it does not use JSONP

This issue was ignored via the project's .snyk policy file. To unignore it, update the policy file.

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 angular@1.5.8
low severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: jgiven-html-app@0.16.2

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 lodash@4.17.3
  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 modernizr@3.3.1 lodash@4.0.0

Overview

lodash is a javaScript utility library delivering modularity, performance & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property.

PoC by Olivier Arteau (HoLyVieR)

var _= require('lodash');
        var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
        
        var a = {};
        console.log("Before : " + a.oops);
        _.merge({}, JSON.parse(malicious_payload));
        console.log("After : " + a.oops);
        

Remediation

Upgrade lodash to version 4.17.5 or higher.

References

low severity
patched

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: moment
  • Introduced through: jgiven-html-app@0.16.2

Vulnerability patched for: jgiven-html-app angular-chart.js chart.js moment

Detailed paths

  • Introduced through: js-given@jsgiven/jsgiven jgiven-html-app@0.16.2 angular-chart.js@1.0.3 chart.js@2.7.1 moment@2.18.1
    Remediation: Run snyk wizard to patch moment@2.18.1.