1 | {
|
2 | "retire-example": {
|
3 | "vulnerabilities" : [
|
4 | { "atOrAbove": "0.0.1", "below" : "0.0.2", "info" : [ "http://github.com/eoftedal/retire.js/" ] }
|
5 | ]
|
6 | },
|
7 | "hutbot-scripts": {
|
8 | "vulnerabilities" : [
|
9 | { "below" : "2.4.4", "info" : [ "https://nodesecurity.io/advisories/519408ce5111ce9429000001" ] }
|
10 | ]
|
11 | },
|
12 | "connect": {
|
13 | "vulnerabilities" : [
|
14 | { "below" : "2.8.1", "info" : [ "https://nodesecurity.io/advisories/51d0d6abf196582611000001" ] }
|
15 | ]
|
16 | },
|
17 | "libnotify": {
|
18 | "vulnerabilities" : [
|
19 | { "below" : "1.0.4", "info" : [ "https://nodesecurity.io/advisories/51940c6d5111ce9429000002" ] }
|
20 | ]
|
21 | },
|
22 | "tomato": {
|
23 | "vulnerabilities" : [
|
24 | { "below" : "0.0.6", "info" : [ "https://nodesecurity.io/advisories/5194039ed66d3fe501000001" ] }
|
25 | ]
|
26 | },
|
27 | "handlebars" : {
|
28 | "vulnerabilities" : [
|
29 | {
|
30 | "below" : "1.0.0.beta.3",
|
31 | "severity": "high",
|
32 | "identifiers": {
|
33 | "summary": "poorly sanitized input passed to eval()"
|
34 | },
|
35 | "info" : [ "https://github.com/wycats/handlebars.js/pull/68" ]
|
36 | }
|
37 | ]
|
38 | },
|
39 | "marked": {
|
40 | "vulnerabilities" : [
|
41 | {
|
42 | "below" : "0.3.1",
|
43 | "severity": "medium",
|
44 | "identifiers": {
|
45 | "CVE": ["CVE-2014-1850", "CVE-2014-3743"],
|
46 | "advisory": "marked_multiple_content_injection_vulnerabilities"
|
47 | },
|
48 | "info" : [ "https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities" ]
|
49 | }
|
50 | ]
|
51 | },
|
52 | "js-yaml": {
|
53 | "vulnerabilities" : [
|
54 | {
|
55 | "below" : "2.0.5",
|
56 | "severity": "medium",
|
57 | "identifiers": {
|
58 | "CVE": "CVE-2013-4660",
|
59 | "advisory": "JS-YAML_Deserialization_Code_Execution"
|
60 | },
|
61 | "info" : [ "https://nodesecurity.io/advisories/JS-YAML_Deserialization_Code_Execution" ]
|
62 | }
|
63 | ]
|
64 | },
|
65 | "st": {
|
66 | "vulnerabilities" : [
|
67 | {
|
68 | "below" : "0.2.5",
|
69 | "severity": "high",
|
70 | "identifiers": {
|
71 | "CVE": "CVE-2014-3744",
|
72 | "advisory": "st_directory_traversal"
|
73 | },
|
74 | "info" : [ "https://nodesecurity.io/advisories/st_directory_traversal" ]
|
75 | }
|
76 | ]
|
77 | },
|
78 | "hapi": {
|
79 | "vulnerabilities" : [
|
80 | {
|
81 | "atOrAbove" : "2.0",
|
82 | "below" : "2.2",
|
83 | "severity": "high",
|
84 | "identifiers": {
|
85 | "CVE": "CVE-2014-3742",
|
86 | "advisory": "hapi_File_descriptor_leak_DoS_vulnerability"
|
87 | },
|
88 | "info" : [ "https://nodesecurity.io/advisories/hapi_File_descriptor_leak_DoS_vulnerability", "https://github.com/spumko/hapi/issues/1427" ]
|
89 | },
|
90 | {
|
91 | "below" : "6.1.0",
|
92 | "severity": "high",
|
93 | "identifiers": {
|
94 | "CVE": "CVE-2014-4671",
|
95 | "advisory": "hapijs-jsonp-CVE-2014-4671A"
|
96 | },
|
97 | "info" : [ "http://nodesecurity.io/advisories/hapijs-jsonp-CVE-2014-4671A" ]
|
98 | }
|
99 | ]
|
100 | },
|
101 | "node-validator": {
|
102 | "vulnerabilities" : [
|
103 | { "below" : "1.1.0",
|
104 | "severity": "high",
|
105 | "identifiers": {
|
106 | "summary": "Cross-site scripting filter bypass"
|
107 | },
|
108 | "info" : [ "https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module/" ]
|
109 | },
|
110 | {
|
111 | "below" : "2.0.0",
|
112 | "severity": "low",
|
113 | "identifiers": {
|
114 | "summary": "Remove cross-site scripting filter"
|
115 | },
|
116 | "info" : [ "https://github.com/chriso/validator.js/commit/2d5d6999541add350fb396ef02dc42ca3215049e" ]
|
117 | }
|
118 | ]
|
119 | },
|
120 | "printer" : {
|
121 | "vulnerabilities" : [
|
122 | {
|
123 | "below" : "0.0.2",
|
124 | "severity": "medium",
|
125 | "identifiers": {
|
126 | "CVE": "CVE-2014-3741",
|
127 | "advisory": "printer_potential_command_injection"
|
128 | },
|
129 | "info" : [ "https://nodesecurity.io/advisories/printer_potential_command_injection" ]
|
130 | }
|
131 | ]
|
132 | },
|
133 |
|
134 |
|
135 | "handlebars-runtime" : {
|
136 | "vulnerabilities" : [
|
137 | {
|
138 | "below" : "1.0.0.beta.3",
|
139 | "severity": "high",
|
140 | "identifiers": {
|
141 | "summary": "poorly sanitized input passed to eval()"
|
142 | },
|
143 | "info" : [ "https://github.com/wycats/handlebars.js/pull/68" ] }
|
144 | ]
|
145 | },
|
146 | "ember" : {
|
147 | "vulnerabilities" : [
|
148 | {
|
149 | "atOrAbove" : "1.3.0-*",
|
150 | "below" : "1.3.2",
|
151 | "severity": "high",
|
152 | "identifiers": {"CVE": "CVE-2014-0046"},
|
153 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ" ]
|
154 | },
|
155 | {
|
156 | "atOrAbove" : "1.2.0-*",
|
157 | "below" : "1.2.2",
|
158 | "severity": "high",
|
159 | "identifiers": {"CVE": "CVE-2014-0046"},
|
160 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ" ]
|
161 | },
|
162 | {
|
163 | "atOrAbove" : "1.4.0-*",
|
164 | "below" : "1.4.0-beta.2",
|
165 | "severity": "medium",
|
166 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]},
|
167 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ]
|
168 | },
|
169 | {
|
170 | "atOrAbove" : "1.3.0-*",
|
171 | "below" : "1.3.1",
|
172 | "severity": "medium",
|
173 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]},
|
174 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ]
|
175 | },
|
176 | {
|
177 | "atOrAbove" : "1.2.0-*",
|
178 | "below" : "1.2.1",
|
179 | "severity": "medium",
|
180 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]},
|
181 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ]
|
182 | },
|
183 | {
|
184 | "atOrAbove" : "1.1.0-*",
|
185 | "below" : "1.1.3",
|
186 | "severity": "medium",
|
187 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]},
|
188 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ]
|
189 | },
|
190 | {
|
191 | "atOrAbove" : "1.0.0-*",
|
192 | "below" : "1.0.1",
|
193 | "severity": "medium",
|
194 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]},
|
195 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ]
|
196 | },
|
197 | {
|
198 | "atOrAbove" : "1.0.0-rc.1",
|
199 | "below" : "1.0.0-rc.1.1",
|
200 | "severity": "medium",
|
201 | "identifiers": {"CVE": "CVE-2013-4170"},
|
202 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ]
|
203 | },
|
204 | {
|
205 | "atOrAbove" : "1.0.0-rc.2",
|
206 | "below" : "1.0.0-rc.2.1",
|
207 | "severity": "medium",
|
208 | "identifiers": {"CVE": "CVE-2013-4170"},
|
209 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ]
|
210 | },
|
211 | {
|
212 | "atOrAbove" : "1.0.0-rc.3",
|
213 | "below" : "1.0.0-rc.3.1",
|
214 | "severity": "medium",
|
215 | "identifiers": {"CVE": "CVE-2013-4170"},
|
216 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ]
|
217 | },
|
218 | {
|
219 | "atOrAbove" : "1.0.0-rc.4",
|
220 | "below" : "1.0.0-rc.4.1",
|
221 | "severity": "medium",
|
222 | "identifiers": {"CVE": "CVE-2013-4170"},
|
223 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ]
|
224 | },
|
225 | {
|
226 | "atOrAbove" : "1.0.0-rc.5",
|
227 | "below" : "1.0.0-rc.5.1",
|
228 | "severity": "medium",
|
229 | "identifiers": {"CVE": "CVE-2013-4170"},
|
230 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ]
|
231 | },
|
232 | {
|
233 | "atOrAbove" : "1.0.0-rc.6",
|
234 | "below" : "1.0.0-rc.6.1",
|
235 | "severity": "medium",
|
236 | "identifiers": {"CVE": "CVE-2013-4170"},
|
237 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ]
|
238 | },
|
239 | { "below" : "0.9.7.1", "info" : [ "https://github.com/emberjs/ember.js/blob/master/CHANGELOG" ] },
|
240 | {
|
241 | "below" : "0.9.7",
|
242 | "severity": "medium",
|
243 | "identifiers": {
|
244 | "bug": "699",
|
245 | "summary": "Bound attributes aren't escaped properly"
|
246 | },
|
247 | "info" : [ "https://github.com/emberjs/ember.js/issues/699" ]
|
248 | }
|
249 | ]
|
250 | },
|
251 | "dojo" : {
|
252 | "vulnerabilities" : [
|
253 | {
|
254 | "atOrAbove" : "0.4",
|
255 | "below" : "0.4.4",
|
256 | "severity": "high",
|
257 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272"]},
|
258 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2272/" ]
|
259 | },
|
260 | {
|
261 | "atOrAbove" : "1.0",
|
262 | "below" : "1.0.3",
|
263 | "severity": "high",
|
264 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272", "CVE-2010-2273"]},
|
265 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ]
|
266 | },
|
267 | {
|
268 | "atOrAbove" : "1.1",
|
269 | "below" : "1.1.2",
|
270 | "severity": "high",
|
271 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272", "CVE-2010-2273"]},
|
272 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ]
|
273 | },
|
274 | {
|
275 | "atOrAbove" : "1.2",
|
276 | "below" : "1.2.4",
|
277 | "severity": "high",
|
278 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272", "CVE-2010-2273"]},
|
279 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ]
|
280 | },
|
281 | {
|
282 | "atOrAbove" : "1.3",
|
283 | "below" : "1.3.3",
|
284 | "severity": "high",
|
285 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272", "CVE-2010-2273"]},
|
286 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ]
|
287 | },
|
288 | {
|
289 | "atOrAbove" : "1.4",
|
290 | "below" : "1.4.2",
|
291 | "severity": "high",
|
292 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272", "CVE-2010-2273"]},
|
293 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ]
|
294 | },
|
295 | {
|
296 | "below" : "1.4.2",
|
297 | "severity": "medium",
|
298 | "identifiers": {"CVE": "CVE-2010-2275"},
|
299 | "info" : [ "http://www.cvedetails.com/cve/CVE-2010-2275/"]
|
300 | },
|
301 | {
|
302 | "below" : "1.1",
|
303 | "severity": "medium",
|
304 | "identifiers": {"CVE": "CVE-2008-6681"},
|
305 | "info" : [ "http://www.cvedetails.com/cve/CVE-2008-6681/"]
|
306 | }
|
307 | ]
|
308 | },
|
309 | "backbone" : {
|
310 | "vulnerabilities" : [
|
311 | {
|
312 | "below" : "0.5.0",
|
313 | "severity": "medium",
|
314 | "identifiers": {
|
315 | "release": "0.5.0",
|
316 | "summary": "cross-site scripting vulnerability"
|
317 | },
|
318 | "info" : [ "http://backbonejs.org/#changelog" ]
|
319 | }
|
320 | ]
|
321 | },
|
322 | "mustache" : {
|
323 | "vulnerabilities" : [
|
324 | {
|
325 | "below" : "0.3.1",
|
326 | "severity": "medium",
|
327 | "identifiers": {
|
328 | "bug": "112",
|
329 | "summary": "execution of arbitrary javascript"
|
330 | },
|
331 | "info" : [ "https://github.com/janl/mustache.js/issues/112" ]
|
332 | }
|
333 | ]
|
334 | },
|
335 | "syntax-error" : {
|
336 | "vulnerabilities" : [
|
337 | {
|
338 | "below" : "1.1.1",
|
339 | "severity": "high",
|
340 | "identifiers": {"advisory": "syntax-error-potential-script-injection"},
|
341 | "info" : [ "https://nodesecurity.io/advisories/syntax-error-potential-script-injection" ]
|
342 | }
|
343 | ]
|
344 | },
|
345 | "crumb" : {
|
346 | "vulnerabilities" : [
|
347 | {
|
348 | "below" : "3.0.0",
|
349 | "severity": "low",
|
350 | "identifiers": {"advisory": "crumb_cors_token_disclosure"},
|
351 | "info" : [ "https://nodesecurity.io/advisories/crumb_cors_token_disclosure" ]
|
352 | }
|
353 | ]
|
354 | },
|
355 | "qs" : {
|
356 | "vulnerabilities" : [
|
357 | {
|
358 | "below" : "1.0.0",
|
359 | "severity": "low",
|
360 | "identifiers": {"advisory": "qs_dos_extended_event_loop_blocking"},
|
361 | "info" : [ "https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking" ]
|
362 | }
|
363 | ]
|
364 | },
|
365 | "bassmaster" : {
|
366 | "vulnerabilities" : [
|
367 | {
|
368 | "below" : "1.5.2",
|
369 | "severity": "high",
|
370 | "identifiers": {
|
371 | "CVE": "CVE-2014-7205",
|
372 | "advisory": "bassmaster_js_injection"
|
373 | },
|
374 | "info" : [ "http://nodesecurity.io/advisories/bassmaster_js_injection" ]
|
375 | }
|
376 | ]
|
377 | },
|
378 | "libyaml" : {
|
379 | "vulnerabilities" : [
|
380 | {
|
381 | "below" : "0.2.3",
|
382 | "severity": "medium",
|
383 | "identifiers": {
|
384 | "CVE": "CVE-2013-6393",
|
385 | "advisory": "libyaml_heap-based_buffer_overflow_when_parsing_YAML_tags"
|
386 | },
|
387 | "info" : [ "http://nodesecurity.io/advisories/libyaml_heap-based_buffer_overflow_when_parsing_YAML_tags" ]
|
388 | }
|
389 | ]
|
390 | },
|
391 | "send" : {
|
392 | "vulnerabilities" : [
|
393 | {
|
394 | "below" : "0.8.4",
|
395 | "severity": "low",
|
396 | "identifiers": {
|
397 | "CVE": "CVE-2014-6394",
|
398 | "advisory": "send-directory-traversal"
|
399 | },
|
400 | "info" : [ "http://nodesecurity.io/advisories/send-directory-traversal" ]
|
401 | }
|
402 | ]
|
403 | },
|
404 | "yar" : {
|
405 | "vulnerabilities" : [
|
406 | {
|
407 | "below" : "2.2.0",
|
408 | "severity": "medium",
|
409 | "identifiers": {
|
410 | "CVE": "CVE-2014-4179",
|
411 | "advisory": "yar-DoS"
|
412 | },
|
413 | "info" : [ "http://nodesecurity.io/advisories/yar-DoS" ]
|
414 | }
|
415 | ]
|
416 | },
|
417 | "codem-transcode" : {
|
418 | "vulnerabilities" : [
|
419 | {
|
420 | "below" : "0.5.0",
|
421 | "severity": "high",
|
422 | "identifiers": {
|
423 | "CVE": "CVE-2013-7377",
|
424 | "advisory": "codem-transcode_command_injection"
|
425 | },
|
426 | "info" : [ "http://nodesecurity.io/advisories/codem-transcode_command_injection" ]
|
427 | }
|
428 | ]
|
429 | },
|
430 | "ep_imageconvert" : {
|
431 | "vulnerabilities" : [
|
432 | {
|
433 | "below" : "0.0.3",
|
434 | "severity": "high",
|
435 | "identifiers": {
|
436 | "CVE": "CVE-2013-3364",
|
437 | "advisory": "ep_imageconvert_command_injection"
|
438 | },
|
439 | "info" : [ "http://nodesecurity.io/advisories/ep_imageconvert_command_injection" ]
|
440 | }
|
441 | ]
|
442 | },
|
443 | "sanitize-html": {
|
444 | "vulnerabilities" : [
|
445 | {
|
446 | "below" : "1.4.3",
|
447 | "severity": "medium",
|
448 | "identifiers": {
|
449 | "summary": "Sanitization not applied recursively"
|
450 | },
|
451 | "info" : [ "https://github.com/punkave/sanitize-html/issues/29" ]
|
452 | }
|
453 | ]
|
454 | },
|
455 | "sequelize-restful": {
|
456 | "vulnerabilities" : [ { "below" : "0.3.1", "info" : [ "https://github.com/sequelize/sequelize-restful/issues/16" ] } ]
|
457 | },
|
458 | "paypal-ipn": {
|
459 | "vulnerabilities" : [
|
460 | {
|
461 | "below" : "3.0.0",
|
462 | "severity": "medium",
|
463 | "identifiers": {"advisory": "paypal-ipn-validation-bypass"},
|
464 | "info" : [ "http://nodesecurity.io/advisories/paypal-ipn-validation-bypass" ]
|
465 | }
|
466 | ]
|
467 | },
|
468 | "fancy-server": {
|
469 | "vulnerabilities" : [
|
470 | {
|
471 | "below" : "0.1.4",
|
472 | "severity": "high",
|
473 | "identifiers": {"advisory": "fancy-server-directory-traversal"},
|
474 | "info" : [ "http://nodesecurity.io/advisories/fancy-server-directory-traversal" ]
|
475 | }
|
476 | ]
|
477 | },
|
478 | "dns-sync": {
|
479 | "vulnerabilities" : [
|
480 | {
|
481 | "below" : "0.1.1",
|
482 | "severity": "high",
|
483 | "identifiers": {"advisory": "dns-sync-command-injection"},
|
484 | "info" : [ "http://nodesecurity.io/advisories/dns-sync-command-injection" ]
|
485 | }
|
486 | ]
|
487 | },
|
488 | "nhouston": {
|
489 | "vulnerabilities" : [
|
490 | {
|
491 | "atOrAbove" : "0.0.0",
|
492 | "severity": "high",
|
493 | "identifiers": {
|
494 | "CVE": "CVE-2014-8883",
|
495 | "advisory": "nhouston-directory-traversal"
|
496 | },
|
497 | "info" : [ "http://nodesecurity.io/advisories/nhouston-directory-traversal" ]
|
498 | }
|
499 | ]
|
500 | },
|
501 | "remarkable": {
|
502 | "vulnerabilities" : [
|
503 | {
|
504 | "below" : "1.4.1",
|
505 | "severity": "high",
|
506 | "identifiers": {"advisory": "remarkable_content_injection"},
|
507 | "info" : [ "http://nodesecurity.io/advisories/remarkable_content_injection" ]
|
508 | }
|
509 | ]
|
510 | },
|
511 | "validator" : {
|
512 | "vulnerabilities" : [
|
513 | {
|
514 | "below" : "3.22.1",
|
515 | "severity": "medium",
|
516 | "identifiers": {
|
517 | "CVE": "CVE-2014-8882",
|
518 | "advisory": "validator-isurl-denial-of-service"
|
519 | },
|
520 | "info" : [ "http://nodesecurity.io/advisories/validator-isurl-denial-of-service" ]
|
521 | },
|
522 | {
|
523 | "below" : "2.0.0",
|
524 | "severity": "medium",
|
525 | "identifiers": {
|
526 | "advisory": "validator_XSS_Filter_Bypass_via_Encoded_URL"
|
527 | },
|
528 | "info" : [ "http://nodesecurity.io/advisories/validator_XSS_Filter_Bypass_via_Encoded_URL" ] }
|
529 | ]
|
530 | }
|
531 | }
|