homebridge-yi-camera@1.1.6

Vulnerabilities

2 via 2 paths

Dependencies

209

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: pug
  • Introduced through: pug@2.0.4

Detailed paths

  • Introduced through: homebridge-yi-camera@1.1.6 pug@2.0.4
    Remediation: Upgrade to pug@3.0.1.

Overview

pug is an A clean, whitespace-sensitive template language for writing HTML

Affected versions of this package are vulnerable to Remote Code Execution (RCE). If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Remediation

Upgrade pug to version 3.0.1 or higher.

References

medium severity

Server-Side Request Forgery (SSRF)

  • Vulnerable module: axios
  • Introduced through: axios@0.18.1

Detailed paths

  • Introduced through: homebridge-yi-camera@1.1.6 axios@0.18.1
    Remediation: Upgrade to axios@0.21.1.

Overview

axios is a promise based HTTP client for the browser and node.js.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Remediation

Upgrade axios to version 0.21.1 or higher.

References