| ID | Severity | Found By | Description | Purl |
|---|---|---|---|---|
| CVE-2020-7645 |
critical
|
Gitlab Gemnasium | All versions of chrome-launcher allow execution of arbitrary commands, by controlling the `$HOME` environment variable in Linux operating systems. | pkg:npm/chrome-launcher@0.13.4 |
| CVE-2021-44906 |
critical
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | pkg:npm/minimist@1.2.5 |
| CVE-2021-3918 |
critical
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | pkg:npm/json-schema@0.2.3 |
| sonatype-2019-0206 |
critical
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/execa@0.7.0 |
| GMS-2020-2 |
critical
|
Gitlab Gemnasium | Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting `preferLocal=true` which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application. | pkg:npm/execa@0.7.0 |
| sonatype-2021-4879 |
high
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/minimatch@3.0.4 |
| CVE-2022-25851 |
high
|
Anchore Grype , Sonotype OSS-Index | The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return. | pkg:npm/jpeg-js@0.4.3 |
| CVE-2021-3807 |
high
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807] ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807] | pkg:npm/ansi-regex@4.1.0 |
| sonatype-2012-0022 |
high
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/express@4.17.1 |
| CVE-2021-3807 |
high
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807] ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807] | pkg:npm/ansi-regex@3.0.0 |
| CVE-2022-24785 |
high
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This... | pkg:npm/moment@2.29.1 |
| CVE-2022-31129 |
high
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has... | pkg:npm/moment@2.29.1 |
| CVE-2022-21681 |
high
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not... | pkg:npm/marked@1.2.9 |
| CVE-2021-21306 |
high
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability... | pkg:npm/marked@1.2.9 |
| CVE-2022-21680 |
high
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and... | pkg:npm/marked@1.2.9 |
| sonatype-2020-1579 |
high
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/prismjs@1.24.1 |
| CVE-2021-3801 |
medium
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | prism is vulnerable to Inefficient Regular Expression Complexity | pkg:npm/prismjs@1.24.1 |
| CVE-2022-0155 |
medium
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor | pkg:npm/follow-redirects@1.14.4 |
| CVE-2022-25869 |
medium
|
Sonotype OSS-Index | All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of | pkg:npm/%40angular/core@9.1.13 |
| sonatype-2021-0092 |
medium
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/%40angular/core@9.1.13 |
| CVE-2022-0235 |
medium
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor | pkg:npm/node-fetch@2.6.2 |
| CVE-2022-23647 |
medium
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted... | pkg:npm/prismjs@1.24.1 |
| sonatype-2017-0655 |
medium
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/request@2.88.2 |
| CVE-2022-0536 |
medium
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8. | pkg:npm/follow-redirects@1.14.4 |
| CVE-2021-23566 |
medium
|
Gitlab Gemnasium , Anchore Grype | The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated. | pkg:npm/nanoid@3.1.25 |
| CVE-2021-4231 |
medium
|
Sonotype OSS-Index | A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to... | pkg:npm/%40angular/core@9.1.13 |
| CVE-2022-33987 |
medium
|
Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index | The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. | pkg:npm/got@9.6.0 |
| sonatype-2018-0715 |
medium
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/apollo-client@2.6.10 |
| sonatype-2022-3677 |
low
|
Sonotype OSS-Index | 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account | pkg:npm/node-fetch@2.6.2 |
| CVE-2016-10538 |
low
|
Anchore Grype | The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to. | pkg:npm/%40lhci/cli@0.7.2 |