Skip to content

Commit

Permalink
Adds vulns for dompurify and tinymce and cleans up some CVEs
Browse files Browse the repository at this point in the history
  • Loading branch information
@eoftedal
eoftedal committed Nov 16, 2023
1 parent f5f17af commit 74bd634
Show file tree
Hide file tree
Showing 2 changed files with 142 additions and 31 deletions.
63 changes: 58 additions & 5 deletions repository/jsrepository-master.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@
],
"summary": "passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.",
"identifiers": {
"CVE": ["CVE-2020-11023", "CVE-2020-23064"],
"CVE": ["CVE-2020-11023"],
"issue": "4647",
"githubID": "GHSA-jpcq-cgw6-v4j6"
},
Expand Down Expand Up @@ -1109,7 +1109,7 @@
"summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs",
"identifiers": {
"githubID": "GHSA-27gm-ghr9-4v95",
"CVE": ["CVE-2020-17480"]
"CVE": ["CVE-2020-17480", "CVE-2020-23066"]
},
"severity": "high",
"cwe": ["CWE-79"],
Expand Down Expand Up @@ -1308,6 +1308,35 @@
"severity": "medium",
"cwe": ["CWE-79"],
"info": ["https://github.com/advisories/GHSA-v65r-p3vv-jjfv"]
},
{
"ranges": [
{
"atOrAbove": "0",
"below": "5.10.9"
},
{
"atOrAbove": "6.0.0",
"below": "6.7.3"
}
],
"summary": "TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes",
"cwe": ["CWE-79"],
"severity": "medium",
"identifiers": {
"CVE": ["CVE-2023-48219"],
"githubID": "GHSA-v626-r774-j7f8"
},
"info": [
"https://github.com/advisories/GHSA-v626-r774-j7f8",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8",
"https://nvd.nist.gov/vuln/detail/CVE-2023-48219",
"https://github.com/tinymce/tinymce",
"https://github.com/tinymce/tinymce/releases/tag/5.10.9",
"https://github.com/tinymce/tinymce/releases/tag/6.7.3",
"https://tiny.cloud/docs/release-notes/release-notes5109/",
"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"
]
}
],
"extractors": {
Expand Down Expand Up @@ -1831,7 +1860,7 @@
],
"identifiers": {
"PR": "307",
"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"],
"CVE": ["CVE-2010-2273"],
"githubID": "GHSA-536q-8gxx-m782"
},
"severity": "medium",
Expand Down Expand Up @@ -2853,6 +2882,29 @@
"bowername": ["dompurify", "DOMPurify"],
"npmname": "dompurify",
"vulnerabilities": [
{
"ranges": [
{
"atOrAbove": "0",
"below": "1.0.11"
}
],
"summary": "DOMPurify Open Redirect vulnerability",
"cwe": ["CWE-601"],
"severity": "medium",
"identifiers": {
"CVE": ["CVE-2019-25155"],
"githubID": "GHSA-8hgg-xxm5-3873"
},
"info": [
"https://github.com/advisories/GHSA-8hgg-xxm5-3873",
"https://nvd.nist.gov/vuln/detail/CVE-2019-25155",
"https://github.com/cure53/DOMPurify/pull/337",
"https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83",
"https://github.com/cure53/DOMPurify",
"https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11"
]
},
{
"ranges": [
{
Expand Down Expand Up @@ -3334,7 +3386,7 @@
],
"summary": "Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4",
"identifiers": {
"CVE": ["CVE-2022-31129"],
"CVE": ["CVE-2022-31129", "CVE-2023-22467"],
"githubID": "GHSA-wc69-rhjr-hc9g"
},
"severity": "high",
Expand Down Expand Up @@ -3593,7 +3645,8 @@
],
"summary": "Cross-Site Scripting in bootstrap-select",
"identifiers": {
"githubID": "GHSA-9r7h-6639-v5mw"
"githubID": "GHSA-9r7h-6639-v5mw",
"CVE": ["CVE-2019-20921"]
},
"severity": "high",
"cwe": ["CWE-79"],
Expand Down
110 changes: 84 additions & 26 deletions repository/jsrepository.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -282,8 +282,7 @@
"identifiers": {
"summary": "passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.",
"CVE": [
"CVE-2020-11023",
"CVE-2020-23064"
"CVE-2020-11023"
],
"issue": "4647",
"githubID": "GHSA-jpcq-cgw6-v4j6"
Expand Down Expand Up @@ -1210,7 +1209,8 @@
"summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs",
"githubID": "GHSA-27gm-ghr9-4v95",
"CVE": [
"CVE-2020-17480"
"CVE-2020-17480",
"CVE-2020-23066"
]
},
"info": [
Expand Down Expand Up @@ -1280,7 +1280,8 @@
"summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs",
"githubID": "GHSA-27gm-ghr9-4v95",
"CVE": [
"CVE-2020-17480"
"CVE-2020-17480",
"CVE-2020-23066"
]
},
"info": [
Expand Down Expand Up @@ -1514,6 +1515,31 @@
"https://github.com/advisories/GHSA-v65r-p3vv-jjfv"
]
},
{
"atOrAbove": "0",
"below": "5.10.9",
"cwe": [
"CWE-79"
],
"severity": "medium",
"identifiers": {
"summary": "TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes",
"CVE": [
"CVE-2023-48219"
],
"githubID": "GHSA-v626-r774-j7f8"
},
"info": [
"https://github.com/advisories/GHSA-v626-r774-j7f8",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8",
"https://nvd.nist.gov/vuln/detail/CVE-2023-48219",
"https://github.com/tinymce/tinymce",
"https://github.com/tinymce/tinymce/releases/tag/5.10.9",
"https://github.com/tinymce/tinymce/releases/tag/6.7.3",
"https://tiny.cloud/docs/release-notes/release-notes5109/",
"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"
]
},
{
"atOrAbove": "6.0.0",
"below": "6.3.1",
Expand Down Expand Up @@ -1571,6 +1597,31 @@
"info": [
"https://github.com/advisories/GHSA-v65r-p3vv-jjfv"
]
},
{
"atOrAbove": "6.0.0",
"below": "6.7.3",
"cwe": [
"CWE-79"
],
"severity": "medium",
"identifiers": {
"summary": "TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes",
"CVE": [
"CVE-2023-48219"
],
"githubID": "GHSA-v626-r774-j7f8"
},
"info": [
"https://github.com/advisories/GHSA-v626-r774-j7f8",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8",
"https://nvd.nist.gov/vuln/detail/CVE-2023-48219",
"https://github.com/tinymce/tinymce",
"https://github.com/tinymce/tinymce/releases/tag/5.10.9",
"https://github.com/tinymce/tinymce/releases/tag/6.7.3",
"https://tiny.cloud/docs/release-notes/release-notes5109/",
"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"
]
}
],
"extractors": {
Expand Down Expand Up @@ -2323,8 +2374,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand All @@ -2350,8 +2399,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand Down Expand Up @@ -2393,8 +2440,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand All @@ -2420,8 +2465,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand All @@ -2447,8 +2490,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand Down Expand Up @@ -2489,8 +2530,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand Down Expand Up @@ -2532,8 +2571,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand All @@ -2559,8 +2596,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand Down Expand Up @@ -2605,8 +2640,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand Down Expand Up @@ -2652,8 +2685,6 @@
"identifiers": {
"PR": "307",
"CVE": [
"CVE-2010-2276",
"CVE-2010-2274",
"CVE-2010-2273"
],
"githubID": "GHSA-536q-8gxx-m782"
Expand Down Expand Up @@ -3883,6 +3914,29 @@
"https://github.com/cure53/DOMPurify/releases/tag/0.9.0"
]
},
{
"atOrAbove": "0",
"below": "1.0.11",
"cwe": [
"CWE-601"
],
"severity": "medium",
"identifiers": {
"summary": "DOMPurify Open Redirect vulnerability",
"CVE": [
"CVE-2019-25155"
],
"githubID": "GHSA-8hgg-xxm5-3873"
},
"info": [
"https://github.com/advisories/GHSA-8hgg-xxm5-3873",
"https://nvd.nist.gov/vuln/detail/CVE-2019-25155",
"https://github.com/cure53/DOMPurify/pull/337",
"https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83",
"https://github.com/cure53/DOMPurify",
"https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11"
]
},
{
"below": "2.0.3",
"severity": "medium",
Expand Down Expand Up @@ -4484,7 +4538,8 @@
"identifiers": {
"summary": "Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4",
"CVE": [
"CVE-2022-31129"
"CVE-2022-31129",
"CVE-2023-22467"
],
"githubID": "GHSA-wc69-rhjr-hc9g"
},
Expand Down Expand Up @@ -4831,7 +4886,10 @@
],
"identifiers": {
"summary": "Cross-Site Scripting in bootstrap-select",
"githubID": "GHSA-9r7h-6639-v5mw"
"githubID": "GHSA-9r7h-6639-v5mw",
"CVE": [
"CVE-2019-20921"
]
},
"info": [
"https://github.com/snapappointments/bootstrap-select/issues/2199"
Expand Down

0 comments on commit 74bd634

Please sign in to comment.