angular-0.0.1.tgz: 38 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (angular version)	Remediation Possible**
CVE-2023-3696	Critical	9.8	mongoose-2.5.13.tgz	Transitive	1.0.0	✅
CVE-2022-2564	Critical	9.8	mongoose-2.5.13.tgz	Transitive	1.0.0	✅
CVE-2020-7610	Critical	9.8	bson-0.0.4.tgz	Transitive	1.0.0	✅
CVE-2019-17426	Critical	9.1	mongoose-2.5.13.tgz	Transitive	1.0.0	✅
WS-2014-0005	High	7.5	qs-0.4.2.tgz	Transitive	1.0.0	✅
CVE-2019-10768	High	7.5	angular-0.0.1.tgz	Direct	1.7.9	✅
CVE-2017-16138	High	7.5	mime-1.2.4.tgz	Transitive	1.0.0	✅
CVE-2017-1000048	High	7.5	qs-0.4.2.tgz	Transitive	1.0.0	✅
CVE-2014-10064	High	7.5	qs-0.4.2.tgz	Transitive	1.0.0	✅
WS-2017-0126	Medium	6.5	angular-0.0.1.tgz	Direct	1.2.2	✅
WS-2017-0121	Medium	6.5	angular-0.0.1.tgz	Direct	1.4.0	✅
WS-2018-0022	Medium	6.1	angular-0.0.1.tgz	Direct	1.6.9	✅
WS-2018-0001	Medium	6.1	angular-0.0.1.tgz	Direct	1.6.0	✅
WS-2013-0004	Medium	6.1	connect-1.9.2.tgz	Transitive	1.0.0	✅
CVE-2024-29041	Medium	6.1	express-2.5.8.tgz	Transitive	1.0.0	✅
CVE-2019-14863	Medium	6.1	angular-0.0.1.tgz	Direct	1.5.0	✅
CVE-2013-7371	Medium	6.1	connect-1.9.2.tgz	Transitive	1.0.0	✅
CVE-2013-7370	Medium	6.1	connect-1.9.2.tgz	Transitive	1.0.0	✅
WS-2018-0077	Medium	5.9	mongoose-2.5.13.tgz	Transitive	1.0.0	✅
WS-2017-0118	Medium	5.8	angular-0.0.1.tgz	Direct	1.5.1	✅
WS-2017-0117	Medium	5.8	angular-0.0.1.tgz	Direct	1.4.10	✅
WS-2017-0116	Medium	5.8	angular-0.0.1.tgz	Direct	1.5.0	✅
CVE-2020-7676	Medium	5.4	angular-0.0.1.tgz	Direct	1.8.0	✅
WS-2017-0124	Medium	5.3	angular-0.0.1.tgz	Direct	1.3.0	✅
WS-2013-0003	Medium	5.3	connect-1.9.2.tgz	Transitive	1.0.0	✅
CVE-2023-26118	Medium	5.3	angular-0.0.1.tgz	Direct	N/A	❌
CVE-2023-26117	Medium	5.3	angular-0.0.1.tgz	Direct	N/A	❌
CVE-2023-26116	Medium	5.3	angular-0.0.1.tgz	Direct	N/A	❌
CVE-2024-43796	Medium	5.0	express-2.5.8.tgz	Transitive	N/A*	❌
WS-2017-0125	Medium	4.8	angular-0.0.1.tgz	Direct	1.2.27	✅
WS-2017-0122	Medium	4.8	angular-0.0.1.tgz	Direct	1.3.2	✅
CVE-2024-8373	Medium	4.8	angular-0.0.1.tgz	Direct	N/A	❌
WS-2017-0268	Medium	4.7	angular-0.0.1.tgz	Direct	1.6.5	✅
CVE-2024-9266	Medium	4.7	express-2.5.8.tgz	Transitive	1.0.0	✅
CVE-2022-25869	Medium	4.2	angular-0.0.1.tgz	Direct	N/A	❌
CVE-2019-2391	Medium	4.2	bson-0.0.4.tgz	Transitive	1.0.0	✅
CVE-2024-10491	Medium	4.0	express-2.5.8.tgz	Transitive	1.0.0	✅
CVE-2014-6393	Low	3.7	express-2.5.8.tgz	Transitive	1.0.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (29 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-3696

Vulnerable Library - mongoose-2.5.13.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-2.5.13.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/mongoose/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • ❌ mongoose-2.5.13.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.

Publish Date: 2023-07-17

URL: CVE-2023-3696

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467/

Release Date: 2023-07-17

Fix Resolution (mongoose): 5.13.21

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-2564

Vulnerable Library - mongoose-2.5.13.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-2.5.13.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/mongoose/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • ❌ mongoose-2.5.13.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

Publish Date: 2022-07-28

URL: CVE-2022-2564

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2564

Release Date: 2022-07-28

Fix Resolution (mongoose): 5.13.15

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7610

Vulnerable Library - bson-0.0.4.tgz

A bson parser for node.js and the browser

Library home page: https://registry.npmjs.org/bson/-/bson-0.0.4.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/bson/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • mongoose-2.5.13.tgz
    • mongodb-0.9.9-7.tgz
      • ❌ bson-0.0.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Publish Date: 2020-03-30

URL: CVE-2020-7610

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-01

Fix Resolution (bson): 1.1.4

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-17426

Vulnerable Library - mongoose-2.5.13.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-2.5.13.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/mongoose/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • ❌ mongoose-2.5.13.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Publish Date: 2019-10-10

URL: CVE-2019-17426

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17426

Release Date: 2019-10-10

Fix Resolution (mongoose): 4.13.20

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2014-0005

Vulnerable Library - qs-0.4.2.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/qs/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • express-2.5.8.tgz
    • ❌ qs-0.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time

Publish Date: 2014-07-31

URL: WS-2014-0005

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2014-0005

Release Date: 2014-07-31

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10768

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Mend Note: After conducting further research, Mend has determined that versions 1.4.0-beta.6 before 1.7.9 of angular are vulnerable to CVE-2019-10768. Converted from WS-2019-0367, on 2021-07-21.

Publish Date: 2019-11-19

URL: CVE-2019-10768

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-11-19

Fix Resolution: 1.7.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-16138

Vulnerable Library - mime-1.2.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.4.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/mime/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • express-2.5.8.tgz
    • ❌ mime-1.2.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-1000048

Vulnerable Library - qs-0.4.2.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/qs/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • express-2.5.8.tgz
    • ❌ qs-0.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-13

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048

Release Date: 2017-07-13

Fix Resolution (qs): 6.0.4

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-10064

Vulnerable Library - qs-0.4.2.tgz

querystring parser

Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/qs/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • express-2.5.8.tgz
    • ❌ qs-0.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Publish Date: 2018-05-31

URL: CVE-2014-10064

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10064

Release Date: 2018-04-26

Fix Resolution (qs): 1.0.0

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2017-0126

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Affected versions of the package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc

Publish Date: 2013-11-12

URL: WS-2017-0126

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2013-11-12

Fix Resolution: 1.2.2

⛑️ Automatic Remediation will be attempted for this issue.

WS-2017-0121

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Affected versions of Angular.js are vulnerable to Arbitrary Code Execution via unsafe svg animation tags.

Publish Date: 2015-03-10

URL: WS-2017-0121

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2015-03-10

Fix Resolution: 1.4.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0022

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

XSS vulnerability in angular.js (1.6.8 and before)

Publish Date: 2018-01-06

URL: WS-2018-0022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-01-06

Fix Resolution: 1.6.9

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0001

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.

Publish Date: 2024-11-03

URL: WS-2018-0001

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-28hp-fgcr-2r4h

Release Date: 2016-09-20

Fix Resolution: 1.6.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2013-0004

Vulnerable Library - connect-1.9.2.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-1.9.2.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/connect/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • express-2.5.8.tgz
    • ❌ connect-1.9.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The "methodOverride" let the http post to override the method of the request with the value of the post key or with the header, which allows XSS attack.

Publish Date: 2013-06-27

URL: WS-2013-0004

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2013-06-27

Fix Resolution (connect): 2.8.1

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-29041

Vulnerable Library - express-2.5.8.tgz

Sinatra inspired web development framework

Library home page: https://registry.npmjs.org/express/-/express-2.5.8.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/express/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • ❌ express-2.5.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution (express): 4.19.0

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-14863

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

Publish Date: 2020-01-02

URL: CVE-2019-14863

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-02

Fix Resolution: 1.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2013-7371

Vulnerable Library - connect-1.9.2.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-1.9.2.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/connect/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • express-2.5.8.tgz
    • ❌ connect-1.9.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)

Publish Date: 2019-12-11

URL: CVE-2013-7371

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7371

Release Date: 2019-12-11

Fix Resolution (connect): 2.8.1

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2013-7370

Vulnerable Library - connect-1.9.2.tgz

High performance middleware framework

Library home page: https://registry.npmjs.org/connect/-/connect-1.9.2.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/connect/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • express-2.5.8.tgz
    • ❌ connect-1.9.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware

Publish Date: 2019-12-11

URL: CVE-2013-7370

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370

Release Date: 2019-12-11

Fix Resolution (connect): 2.8.1

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0077

Vulnerable Library - mongoose-2.5.13.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-2.5.13.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/mongoose/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • ❌ mongoose-2.5.13.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Publish Date: 2016-01-15

URL: WS-2018-0077

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-01-15

Fix Resolution (mongoose): 4.3.6

Direct dependency fix Resolution (angular): 1.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2017-0118

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Affected versions of the package are vulnerable to Mutation Cross-site Scripting (mXSS).

Publish Date: 2015-09-08

URL: WS-2017-0118

CVSS 3 Score Details (5.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2015-09-08

Fix Resolution: 1.5.1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2017-0117

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks.

Publish Date: 2015-11-30

URL: WS-2017-0117

CVSS 3 Score Details (5.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2015-11-30

Fix Resolution: 1.4.10

⛑️ Automatic Remediation will be attempted for this issue.

WS-2017-0116

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The use element can reference external svg's (same origin) and can include xlink javascript urls or foreign object that can execute xss.

Publish Date: 2015-12-05

URL: WS-2017-0116

CVSS 3 Score Details (5.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2015-12-05

Fix Resolution: 1.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7676

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code. Publish Date: 2020-06-08 URL: CVE-2020-7676 CVSS 3 Score Details (5.4) Base Score Metrics: Exploitability Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Impact Metrics: Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None For more information on CVSS3 Scores, click here. Suggested Fix Type: Upgrade version Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676 Release Date: 2020-06-08 Fix Resolution: 1.8.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. WS-2017-0124 Vulnerable Library - angular-0.0.1.tgz Node.JS + Angular.JS project generator Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz Path to dependency file: /tmp/ws-scm/bugHunt/package.json Path to vulnerable library: /node_modules/angular/package.json Dependency Hierarchy: :x: angular-0.0.1.tgz (Vulnerable Library) Found in base branch: main Vulnerability Details Affected versions of the package are vulnerable to Cross-site Scripting (XSS). Publish Date: 2014-09-08 URL: WS-2017-0124 CVSS 3 Score Details (5.3) Base Score Metrics: Exploitability Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Impact Metrics: Confidentiality Impact: Low Integrity Impact: None Availability Impact: None For more information on CVSS3 Scores, click here. Suggested Fix Type: Upgrade version Release Date: 2014-09-08 Fix Resolution: 1.3.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. WS-2013-0003 Vulnerable Library - connect-1.9.2.tgz High performance middleware framework Library home page: https://registry.npmjs.org/connect/-/connect-1.9.2.tgz Path to dependency file: /tmp/ws-scm/bugHunt/package.json Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/connect/package.json Dependency Hierarchy: angular-0.0.1.tgz (Root Library) express-2.5.8.tgz :x: connect-1.9.2.tgz (Vulnerable Library) Found in base branch: main Vulnerability Details senchalabs/connect prior to 2.8.1 is vulnerable to xss attack Publish Date: 2013-06-27 URL: WS-2013-0003 CVSS 3 Score Details (5.3) Base Score Metrics: Exploitability Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Impact Metrics: Confidentiality Impact: Low Integrity Impact: None Availability Impact: None For more information on CVSS3 Scores, click here. Suggested Fix Type: Upgrade version Origin: https://nvd.nist.gov/vuln/detail/WS-2013-0003 Release Date: 2013-06-27 Fix Resolution (connect): 2.8.1 Direct dependency fix Resolution (angular): 1.0.0 :rescue_worker_helmet: Automatic Remediation will be attempted for this issue. CVE-2023-26118 Vulnerable Library - angular-0.0.1.tgz Node.JS + Angular.JS project generator Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz Path to dependency file: /tmp/ws-scm/bugHunt/package.json Path to vulnerable library: /node_modules/angular/package.json Dependency Hierarchy: :x: angular-0.0.1.tgz (Vulnerable Library) Found in base branch: main Vulnerability Details Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26118

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2023-26117

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26117

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2023-26116

Vulnerable Library - angular-0.0.1.tgz

Node.JS + Angular.JS project generator

Library home page: https://registry.npmjs.org/angular/-/angular-0.0.1.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /node_modules/angular/package.json

Dependency Hierarchy:

• ❌ angular-0.0.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

Publish Date: 2023-03-30

URL: CVE-2023-26116

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2024-43796

Vulnerable Library - express-2.5.8.tgz

Sinatra inspired web development framework

Library home page: https://registry.npmjs.org/express/-/express-2.5.8.tgz

Path to dependency file: /tmp/ws-scm/bugHunt/package.json

Path to vulnerable library: /tmp/ws-scm/bugHunt/node_modules/express/package.json

Dependency Hierarchy:

• angular-0.0.1.tgz (Root Library)
  • ❌ express-2.5.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

Publish Date: 2024-09-10

URL: CVE-2024-43796

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qw6h-vgh9-j6wx

Release Date: 2024-09-10

Fix Resolution: express - 4.20.0,5.0.0

---

⛑️Automatic Remediation will be attempted for this issue.