Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix missing node modules for theme #156

Merged
merged 1 commit into from
Aug 15, 2024
Merged

Conversation

mattbell87
Copy link
Member

This fixes missing node modules for the theme which was preventing being able to log in.

Copy link

Overview

Image reference ghcr.io/2pisoftware/cmfive:develop ghcr.io/2pisoftware/cmfive:pr-156
- digest 9fd67b1df459 9f97d35d6662
- tag develop pr-156
- provenance d84fa23 ae5ff59
- vulnerabilities critical: 0 high: 4 medium: 7 low: 0 unspecified: 1 critical: 1 high: 8 medium: 14 low: 4 unspecified: 1
- platform linux/amd64 linux/amd64
- size 327 MB 374 MB (+46 MB)
- packages 205 1107 (+902)
Base Image alpine:3.19
also known as:
3.19.3
alpine:3.19
also known as:
3.19.3
- vulnerabilities critical: 0 high: 0 medium: 0 low: 0 critical: 0 high: 0 medium: 0 low: 0
Labels (3 changes)
  • ± 3 changed
  • 6 unchanged
-org.opencontainers.image.created=2024-08-12T04:28:53.166Z
+org.opencontainers.image.created=2024-08-15T01:35:18.905Z
 org.opencontainers.image.description=Cmfive in a docker image
 org.opencontainers.image.licenses=GPL-3.0
-org.opencontainers.image.revision=d84fa237537b25a5b7d52239be0b9558db57c098
+org.opencontainers.image.revision=ae5ff591297c9f03bbc656eb394d5382353d6567
 org.opencontainers.image.source=https://github.com/2pisoftware/cmfive-boilerplate
 org.opencontainers.image.title=Cmfive
 org.opencontainers.image.url=https://github.com/2pisoftware/cmfive-boilerplate
 org.opencontainers.image.vendor=2pisoftware
-org.opencontainers.image.version=develop
+org.opencontainers.image.version=pr-156
Packages and Vulnerabilities (823 package changes and 11 vulnerability changes)
  • ➕ 822 packages added
  • ♾️ 1 packages changed
  • 204 packages unchanged
  • ❗ 11 vulnerabilities added
Changes for packages of type npm (821 changes)
Package Version
ghcr.io/2pisoftware/cmfive:develop
Version
ghcr.io/2pisoftware/cmfive:pr-156
@ampproject/remapping 2.2.1
@babel/code-frame 7.22.13
@babel/compat-data 7.23.2
@babel/core 7.23.2
@babel/generator 7.23.0
@babel/helper-annotate-as-pure 7.22.5
@babel/helper-builder-binary-assignment-operator-visitor 7.22.15
@babel/helper-compilation-targets 7.22.15
@babel/helper-create-class-features-plugin 7.22.15
@babel/helper-create-regexp-features-plugin 7.22.15
@babel/helper-define-polyfill-provider 0.4.3
@babel/helper-environment-visitor 7.22.20
@babel/helper-function-name 7.23.0
@babel/helper-hoist-variables 7.22.5
@babel/helper-member-expression-to-functions 7.23.0
@babel/helper-module-imports 7.22.15
@babel/helper-module-transforms 7.23.0
@babel/helper-optimise-call-expression 7.22.5
@babel/helper-plugin-utils 7.22.5
@babel/helper-remap-async-to-generator 7.22.20
@babel/helper-replace-supers 7.22.20
@babel/helper-simple-access 7.22.5
@babel/helper-skip-transparent-expression-wrappers 7.22.5
@babel/helper-split-export-declaration 7.22.6
@babel/helper-string-parser 7.22.5
@babel/helper-validator-identifier 7.22.20
@babel/helper-validator-option 7.22.15
@babel/helper-wrap-function 7.22.20
@babel/helpers 7.23.2
@babel/highlight 7.22.20
@babel/parser 7.23.0
@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression 7.22.15
@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining 7.22.15
@babel/plugin-proposal-object-rest-spread 7.20.7
@babel/plugin-proposal-private-property-in-object 7.21.0-placeholder-for-preset-env.2
@babel/plugin-syntax-async-generators 7.8.4
@babel/plugin-syntax-class-properties 7.12.13
@babel/plugin-syntax-class-static-block 7.14.5
@babel/plugin-syntax-dynamic-import 7.8.3
@babel/plugin-syntax-export-namespace-from 7.8.3
@babel/plugin-syntax-import-assertions 7.22.5
@babel/plugin-syntax-import-attributes 7.22.5
@babel/plugin-syntax-import-meta 7.10.4
@babel/plugin-syntax-json-strings 7.8.3
@babel/plugin-syntax-logical-assignment-operators 7.10.4
@babel/plugin-syntax-nullish-coalescing-operator 7.8.3
@babel/plugin-syntax-numeric-separator 7.10.4
@babel/plugin-syntax-object-rest-spread 7.8.3
@babel/plugin-syntax-optional-catch-binding 7.8.3
@babel/plugin-syntax-optional-chaining 7.8.3
@babel/plugin-syntax-private-property-in-object 7.14.5
@babel/plugin-syntax-top-level-await 7.14.5
@babel/plugin-syntax-unicode-sets-regex 7.18.6
@babel/plugin-transform-arrow-functions 7.22.5
@babel/plugin-transform-async-generator-functions 7.23.2
@babel/plugin-transform-async-to-generator 7.22.5
@babel/plugin-transform-block-scoped-functions 7.22.5
@babel/plugin-transform-block-scoping 7.23.0
@babel/plugin-transform-class-properties 7.22.5
@babel/plugin-transform-class-static-block 7.22.11
@babel/plugin-transform-classes 7.22.15
@babel/plugin-transform-computed-properties 7.22.5
@babel/plugin-transform-destructuring 7.23.0
@babel/plugin-transform-dotall-regex 7.22.5
@babel/plugin-transform-duplicate-keys 7.22.5
@babel/plugin-transform-dynamic-import 7.22.11
@babel/plugin-transform-exponentiation-operator 7.22.5
@babel/plugin-transform-export-namespace-from 7.22.11
@babel/plugin-transform-for-of 7.22.15
@babel/plugin-transform-function-name 7.22.5
@babel/plugin-transform-json-strings 7.22.11
@babel/plugin-transform-literals 7.22.5
@babel/plugin-transform-logical-assignment-operators 7.22.11
@babel/plugin-transform-member-expression-literals 7.22.5
@babel/plugin-transform-modules-amd 7.23.0
@babel/plugin-transform-modules-commonjs 7.23.0
@babel/plugin-transform-modules-systemjs 7.23.0
@babel/plugin-transform-modules-umd 7.22.5
@babel/plugin-transform-named-capturing-groups-regex 7.22.5
@babel/plugin-transform-new-target 7.22.5
@babel/plugin-transform-nullish-coalescing-operator 7.22.11
@babel/plugin-transform-numeric-separator 7.22.11
@babel/plugin-transform-object-rest-spread 7.22.15
@babel/plugin-transform-object-super 7.22.5
@babel/plugin-transform-optional-catch-binding 7.22.11
@babel/plugin-transform-optional-chaining 7.23.0
@babel/plugin-transform-parameters 7.22.15
@babel/plugin-transform-private-methods 7.22.5
@babel/plugin-transform-private-property-in-object 7.22.11
@babel/plugin-transform-property-literals 7.22.5
@babel/plugin-transform-regenerator 7.22.10
@babel/plugin-transform-reserved-words 7.22.5
@babel/plugin-transform-runtime 7.23.2
@babel/plugin-transform-shorthand-properties 7.22.5
@babel/plugin-transform-spread 7.22.5
@babel/plugin-transform-sticky-regex 7.22.5
@babel/plugin-transform-template-literals 7.22.5
@babel/plugin-transform-typeof-symbol 7.22.5
@babel/plugin-transform-unicode-escapes 7.22.10
@babel/plugin-transform-unicode-property-regex 7.22.5
@babel/plugin-transform-unicode-regex 7.22.5
@babel/plugin-transform-unicode-sets-regex 7.22.5
@babel/preset-env 7.23.2
@babel/preset-modules 0.1.6-no-external-plugins
@babel/regjsgen 0.8.0
@babel/runtime 7.23.2
@babel/template 7.22.15
@babel/traverse 7.23.2
@babel/types 7.23.0
@codemirror/autocomplete 6.10.2
@codemirror/commands 6.3.0
@codemirror/lang-css 6.2.1
@codemirror/lang-html 6.4.6
@codemirror/lang-javascript 6.2.1
@codemirror/language 6.9.2
@codemirror/lint 6.4.2
@codemirror/search 6.5.4
@codemirror/state 6.3.1
@codemirror/view 6.22.0
@colors/colors 1.5.0
@discoveryjs/json-ext 0.5.7
@jridgewell/gen-mapping 0.3.3
@jridgewell/resolve-uri 3.1.1
@jridgewell/set-array 1.1.2
@jridgewell/source-map 0.3.5
@jridgewell/sourcemap-codec 1.4.15
@jridgewell/trace-mapping 0.3.20
@leichtgewicht/ip-codec 2.0.4
@lezer/common 1.1.0
@lezer/css 1.1.3
@lezer/highlight 1.1.6
@lezer/html 1.3.6
@lezer/javascript 1.4.9
@lezer/lr 1.3.14
@my-scope/package-a 0.0.0
@my-scope/package-b 0.0.0
@nodelib/fs.scandir 2.1.5
@nodelib/fs.stat 2.0.5
@nodelib/fs.walk 1.2.8
@orchidjs/sifter 1.0.3
@orchidjs/unicode-variants 1.0.4
@popperjs/core 2.11.8
@trysound/sax 0.2.0
@types/babel__core 7.20.3
@types/babel__generator 7.6.6
@types/babel__template 7.4.3
@types/babel__traverse 7.20.3
@types/body-parser 1.19.4
@types/bonjour 3.5.12
@types/bootstrap 5.2.8
@types/clean-css 4.2.9
@types/connect 3.4.37
@types/connect-history-api-fallback 1.5.2
@types/eslint 8.44.6
@types/eslint-scope 3.7.6
@types/estree 1.0.4
@types/express 4.17.20
@types/express-serve-static-core 4.17.39
@types/glob 7.2.0
@types/http-errors 2.0.3
@types/http-proxy 1.17.13
@types/imagemin 8.0.3
@types/imagemin-gifsicle 7.0.3
@types/imagemin-mozjpeg 8.0.3
@types/imagemin-optipng 5.2.3
@types/imagemin-svgo 8.0.1
@types/jquery 3.5.25
@types/json-schema 7.0.9
@types/mime 1.3.4
@types/minimatch 5.1.2
@types/node 20.8.10
@types/node-forge 1.3.8
@types/parse-json 4.0.0
@types/qs 6.9.9
@types/range-parser 1.2.6
@types/retry 0.12.0
@types/send 0.17.3
@types/serve-index 1.9.3
@types/serve-static 1.15.4
@types/sizzle 2.3.5
@types/sockjs 0.3.35
@types/svgo 1.3.6
@types/ws 8.5.8
@vue/compiler-sfc 2.7.15
@vue/component-compiler-utils 3.3.0
@webassemblyjs/ast 1.11.6
@webassemblyjs/floating-point-hex-parser 1.11.6
@webassemblyjs/helper-api-error 1.11.6
@webassemblyjs/helper-buffer 1.11.6
@webassemblyjs/helper-numbers 1.11.6
@webassemblyjs/helper-wasm-bytecode 1.11.6
@webassemblyjs/helper-wasm-section 1.11.6
@webassemblyjs/ieee754 1.11.6
@webassemblyjs/leb128 1.11.6
@webassemblyjs/utf8 1.11.6
@webassemblyjs/wasm-edit 1.11.6
@webassemblyjs/wasm-gen 1.11.6
@webassemblyjs/wasm-opt 1.11.6
@webassemblyjs/wasm-parser 1.11.6
@webassemblyjs/wast-printer 1.11.6
@webpack-cli/configtest 1.2.0
@webpack-cli/info 1.5.0
@webpack-cli/serve 1.7.0
@xtuc/ieee754 1.2.0
@xtuc/long 4.2.2
accepts 1.3.8
acorn 8.11.2
acorn-import-assertions 1.9.0
adjust-sourcemap-loader 3.0.0
ajv 8.12.0
ajv-formats 2.1.1
ajv-keywords 5.1.0
ansi-html-community 0.0.8
ansi-regex 5.0.1
ansi-styles 4.3.0
anymatch 3.1.3
arity-n 1.0.4
array-flatten 2.1.2
array-union 2.1.0
asn1.js 5.4.1
assert 1.5.1
atob 2.1.2
autoprefixer 10.4.16
babel-code-frame 6.26.0
babel-core 6.26.3
babel-generator 6.26.1
babel-helper-call-delegate 6.24.1
babel-helper-define-map 6.26.0
babel-helper-function-name 6.24.1
babel-helper-get-function-arity 6.24.1
babel-helper-hoist-variables 6.24.1
babel-helper-optimise-call-expression 6.24.1
babel-helper-regex 6.26.0
babel-helper-replace-supers 6.24.1
babel-helpers 6.24.1
babel-loader 8.3.0
babel-messages 6.23.0
babel-plugin-check-es2015-constants 6.22.0
babel-plugin-polyfill-corejs2 0.4.6
babel-plugin-polyfill-corejs3 0.8.6
babel-plugin-polyfill-regenerator 0.5.3
babel-plugin-transform-es2015-arrow-functions 6.22.0
babel-plugin-transform-es2015-block-scoped-functions 6.22.0
babel-plugin-transform-es2015-block-scoping 6.26.0
babel-plugin-transform-es2015-classes 6.24.1
babel-plugin-transform-es2015-computed-properties 6.24.1
babel-plugin-transform-es2015-destructuring 6.23.0
babel-plugin-transform-es2015-duplicate-keys 6.24.1
babel-plugin-transform-es2015-for-of 6.23.0
babel-plugin-transform-es2015-function-name 6.24.1
babel-plugin-transform-es2015-literals 6.22.0
babel-plugin-transform-es2015-modules-amd 6.24.1
babel-plugin-transform-es2015-modules-commonjs 6.26.2
babel-plugin-transform-es2015-modules-systemjs 6.24.1
babel-plugin-transform-es2015-modules-umd 6.24.1
babel-plugin-transform-es2015-object-super 6.24.1
babel-plugin-transform-es2015-parameters 6.24.1
babel-plugin-transform-es2015-shorthand-properties 6.24.1
babel-plugin-transform-es2015-spread 6.22.0
babel-plugin-transform-es2015-sticky-regex 6.24.1
babel-plugin-transform-es2015-template-literals 6.22.0
babel-plugin-transform-es2015-typeof-symbol 6.23.0
babel-plugin-transform-es2015-unicode-regex 6.24.1
babel-plugin-transform-regenerator 6.26.0
babel-plugin-transform-strict-mode 6.24.1
babel-preset-es2015 6.24.1
babel-register 6.26.0
babel-runtime 6.26.0
babel-template 6.26.0
babel-traverse 6.26.0
critical: 1 high: 0 medium: 0 low: 0
Added vulnerabilities (1):
  • critical : CVE--2023--45133
babel-types 6.26.0
babylon 6.18.0
balanced-match 1.0.2
base64-js 1.5.1
batch 0.6.1
big.js 5.2.2
bin 1.0.0
binary-extensions 2.2.0
bluebird 3.7.2
bn.js 5.2.1
body-parser 1.20.1
bonjour-service 1.1.1
boolbase 1.0.0
bootstrap 5.3.2
bootstrap-icons 1.11.1
brace-expansion 1.1.11
braces 3.0.2
critical: 0 high: 1 medium: 0 low: 0
Added vulnerabilities (1):
  • high : CVE--2024--4068
brorand 1.1.0
browser-process 0.0.1
browserify-aes 1.2.0
browserify-cipher 1.0.1
browserify-des 1.0.2
browserify-rsa 4.1.0
browserify-sign 4.2.2
browserify-zlib 0.2.0
browserslist 4.22.1
buffer 4.9.2
buffer-from 1.1.2
buffer-xor 1.0.3
builtin-status-codes 3.0.0
bytes 3.1.2
call-bind 1.0.2
callsites 3.1.0
camel-case 4.1.2
camelcase 5.3.1
caniuse-api 3.0.0
caniuse-lite 1.0.30001561
chalk 4.1.2
charenc 0.0.2
chokidar 3.5.3
chrome-trace-event 1.0.3
cipher-base 1.0.4
clean-css 5.3.2
cli-table3 0.6.3
cliui 8.0.1
clone 2.1.2
clone-deep 4.0.1
♾️ codemirror 4.4.0 6.0.1
critical: 0 high: 0 medium: 1 low: 0
Removed vulnerabilities (1):
  • medium : CVE--2020--7760
collect.js 4.36.1
color-convert 2.0.1
color-name 1.1.4
colord 2.9.3
colorette 2.0.20
colors 1.4.0
commander 7.2.0
commondir 1.0.1
compose-function 3.0.3
compressible 2.0.18
compression 1.7.4
concat 1.0.3
concat-map 0.0.1
connect-history-api-fallback 2.0.0
consola 2.15.3
console-browserify 1.2.0
consolidate 0.15.1
constants-browserify 1.0.0
content-disposition 0.5.4
content-type 1.0.5
convert-source-map 2.0.0
cookie 0.5.0
cookie-signature 1.0.6
core-js 2.6.12
core-js-compat 3.33.2
core-util-is 1.0.3
cosmiconfig 7.1.0
create-ecdh 4.0.4
create-hash 1.2.0
create-hmac 1.1.7
crelt 1.0.6
cross-spawn 7.0.3
crypt 0.0.2
crypto-browserify 3.12.0
css 2.2.4
css-declaration-sorter 6.4.1
css-loader 5.2.7
css-select 4.3.0
css-tree 1.1.3
css-what 6.1.0
cssesc 3.0.0
cssnano 5.1.15
cssnano-preset-default 5.2.14
cssnano-utils 3.1.0
csso 4.2.0
csstype 3.1.2
d 1.0.1
de-indent 1.0.2
debug 4.3.4
decode-uri-component 0.2.2
deep-equal 1.1.1
default-gateway 6.0.3
define-data-property 1.1.1
define-lazy-prop 2.0.0
define-properties 1.2.1
depd 2.0.0
des.js 1.1.0
destroy 1.2.0
detect-indent 4.0.0
detect-node 2.1.0
diffie-hellman 5.0.3
dir-glob 3.0.1
dist 1.0.0
dns-equal 1.0.0
dns-packet 5.6.1
dom-serializer 1.4.1
domain-browser 1.2.0
domelementtype 2.3.0
domhandler 4.3.1
domutils 2.8.0
dot-case 3.0.4
dotenv 10.0.0
dotenv-expand 5.1.0
ee-first 1.1.1
electron-to-chromium 1.4.576
elliptic 6.5.4
emoji-regex 8.0.0
emojis-list 3.0.0
encodeurl 1.0.2
enhanced-resolve 5.15.0
entities 2.2.0
envinfo 7.11.0
error-ex 1.3.2
es-module-lexer 1.3.1
es5-ext 0.10.62
es6-iterator 2.0.3
es6-symbol 3.1.3
escalade 3.1.1
escape-html 1.0.3
escape-string-regexp 1.0.5
eslint-scope 5.1.1
esrecurse 4.3.0
estraverse 5.3.0
esutils 2.0.3
etag 1.8.1
eventemitter3 4.0.7
events 3.3.0
evp_bytestokey 1.0.3
execa 5.1.1
express 4.18.2
critical: 0 high: 0 medium: 1 low: 0
Added vulnerabilities (1):
  • medium : CVE--2024--29041
ext 1.7.0
extend 3.0.2
fast-deep-equal 3.1.3
fast-diff 1.1.2
fast-glob 3.3.1
fast-json-stable-stringify 2.1.0
fastest-levenshtein 1.0.16
fastq 1.15.0
faye-websocket 0.11.4
file-loader 6.2.0
file-type 12.4.2
fill-range 7.0.1
finalhandler 1.2.0
find-cache-dir 3.3.2
find-up 4.1.0
flat 5.0.2
flat-cache 3.1.1
flatted 3.2.9
follow-redirects 1.15.3
critical: 0 high: 0 medium: 2 low: 0
Added vulnerabilities (2):
  • medium : CVE--2024--28849
  • medium : CVE--2023--26159
forwarded 0.2.0
fraction.js 4.3.7
fresh 0.5.2
fs-extra 10.1.0
fs-monkey 1.0.5
fs.realpath 1.0.0
function-bind 1.1.2
gensync 1.0.0-beta.2
get-caller-file 2.0.5
get-intrinsic 1.2.2
get-stream 6.0.1
glob 7.2.3
glob-parent 5.1.2
glob-to-regexp 0.4.1
globals 9.18.0
globby 10.0.2
gopd 1.0.1
graceful-fs 4.2.11
growly 1.3.0
handle-thing 2.0.1
has 1.0.3
has-ansi 2.0.0
has-flag 4.0.0
has-property-descriptors 1.0.1
has-proto 1.0.1
has-symbols 1.0.3
has-tostringtag 1.0.0
hash-base 3.1.0
hash-sum 1.0.2
hash.js 1.1.7
hasown 2.0.0
he 1.2.0
hmac-drbg 1.0.1
home-or-tmp 2.0.0
hpack.js 2.1.6
html-entities 2.4.0
html-loader 1.3.2
html-minifier-terser 5.1.1
htmlparser2 4.1.0
http-deceiver 1.2.7
http-errors 2.0.0
http-parser-js 0.5.8
http-proxy 1.18.1
http-proxy-middleware 2.0.6
https-browserify 1.0.0
human-signals 2.1.0
iconv-lite 0.4.24
icss-utils 5.1.0
ieee754 1.2.1
ignore 5.2.4
imagemin 7.0.1
img-loader 4.0.0
immutable 4.3.4
import-fresh 3.3.0
import-local 3.1.0
inflight 1.0.6
inherits 2.0.4
interpret 2.2.0
invariant 2.2.4
ipaddr.js 2.1.0
is-arguments 1.1.1
is-arrayish 0.2.1
is-binary-path 2.1.0
is-buffer 1.1.6
is-core-module 2.13.1
is-date-object 1.0.5
is-docker 2.2.1
is-extglob 2.1.1
is-finite 1.1.0
is-fullwidth-code-point 3.0.0
is-glob 4.0.3
is-number 7.0.0
is-plain-obj 3.0.0
is-plain-object 2.0.4
is-regex 1.1.4
is-stream 2.0.1
is-wsl 2.2.0
isarray 1.0.0
isexe 2.0.0
isobject 3.0.1
jest-worker 27.5.1
jquery 3.7.1
js-tokens 4.0.0
jsesc 2.5.2
json-buffer 3.0.1
json-parse-even-better-errors 2.3.1
json-schema-traverse 1.0.0
json5 2.2.3
jsonfile 6.1.0
junk 3.1.0
keyv 4.5.4
kind-of 6.0.3
klona 2.0.6
laravel-mix 6.0.49
laravel-mix-glob 2.0.3
launch-editor 2.6.1
lilconfig 2.1.0
lines-and-columns 1.2.4
ljharb-monorepo-symlink-test 0.0.0
loader-runner 4.3.0
loader-utils 2.0.4
locate-path 5.0.0
lodash 4.17.21
lodash.debounce 4.0.8
lodash.memoize 4.1.2
lodash.uniq 4.5.0
loose-envify 1.4.0
lower-case 2.0.2
lru-cache 6.0.0
make-dir 3.1.0
md5 2.3.0
md5.js 1.3.5
mdn-data 2.0.14
media-typer 0.3.0
memfs 3.5.3
merge-descriptors 1.0.1
merge-source-map 1.1.0
merge-stream 2.0.0
merge2 1.4.1
methods 1.1.2
micromatch 4.0.5
miller-rabin 4.0.1
mime 1.6.0
mime-db 1.52.0
mime-types 2.1.35
mimic-fn 2.1.0
mini-css-extract-plugin 1.6.2
minimalistic-assert 1.0.1
minimalistic-crypto-utils 1.0.1
minimatch 3.1.2
minimist 1.2.8
mkdirp 0.5.5
ms 2.1.3
multicast-dns 7.2.5
mylib 0.0.0
nanoid 3.3.7
negotiator 0.6.3
neo-async 2.6.2
next-tick 1.1.0
no-case 3.0.4
node-forge 1.3.1
node-forge-flash 0.0.0
node-libs-browser 2.2.1
node-notifier 9.0.1
node-releases 2.0.13
normalize-path 3.0.0
normalize-range 0.1.2
normalize-url 6.1.0
npm-run-path 4.0.1
nth-check 2.1.1
object-inspect 1.13.1
object-is 1.1.5
object-keys 1.1.1
object.assign 4.1.4
obuf 1.1.2
on-finished 2.4.1
on-headers 1.0.2
once 1.4.0
onetime 5.1.2
open 8.4.2
os-browserify 0.3.0
os-homedir 1.0.2
os-tmpdir 1.0.2
p-limit 2.3.0
p-locate 4.1.0
p-pipe 3.1.0
p-retry 4.6.2
p-try 2.2.0
pako 1.0.11
param-case 3.0.4
parchment 1.1.4
parent-module 1.0.1
parse-asn1 5.1.6
parse-json 5.2.0
parseurl 1.3.3
pascal-case 3.1.2
path-browserify 0.0.1
path-exists 4.0.0
path-is-absolute 1.0.1
path-key 3.1.1
path-parse 1.0.7
path-to-regexp 0.1.7
path-type 4.0.0
pbkdf2 3.1.2
picocolors 1.0.0
picomatch 2.3.1
pkg-dir 4.2.0
postcss 8.4.31
postcss-calc 8.2.4
postcss-colormin 5.3.1
postcss-convert-values 5.1.3
postcss-discard-comments 5.1.2
postcss-discard-duplicates 5.1.0
postcss-discard-empty 5.1.1
postcss-discard-overridden 5.1.0
postcss-load-config 3.1.4
postcss-loader 6.2.1
postcss-merge-longhand 5.1.7
postcss-merge-rules 5.1.4
postcss-minify-font-values 5.1.0
postcss-minify-gradients 5.1.1
postcss-minify-params 5.1.4
postcss-minify-selectors 5.2.1
postcss-modules-extract-imports 3.0.0
postcss-modules-local-by-default 4.0.3
postcss-modules-scope 3.0.0
postcss-modules-values 4.0.0
postcss-normalize-charset 5.1.0
postcss-normalize-display-values 5.1.0
postcss-normalize-positions 5.1.1
postcss-normalize-repeat-style 5.1.1
postcss-normalize-string 5.1.0
postcss-normalize-timing-functions 5.1.0
postcss-normalize-unicode 5.1.1
postcss-normalize-url 5.1.0
postcss-normalize-whitespace 5.1.1
postcss-ordered-values 5.1.3
postcss-reduce-initial 5.1.2
postcss-reduce-transforms 5.1.0
postcss-selector-parser 6.0.13
postcss-svgo 5.1.0
postcss-unique-selectors 5.1.1
postcss-value-parser 4.2.0
prettier 2.8.8
pretty-time 1.1.0
private 0.1.8
process 0.11.10
process-nextick-args 2.0.1
proxy-addr 2.0.7
pseudomap 1.0.2
public-encrypt 4.0.3
punycode 2.1.1
qs 6.11.2
querystring-es3 0.2.1
queue-microtask 1.2.3
quill 1.3.7
critical: 0 high: 0 medium: 1 low: 0
Added vulnerabilities (1):
  • medium : CVE--2021--3163
quill-delta 3.6.3
randombytes 2.1.0
randomfill 1.0.4
range-parser 1.2.1
raw-body 2.5.1
readable-stream 3.6.2
readdirp 3.6.0
rechoir 0.7.1
regenerate 1.4.2
regenerate-unicode-properties 10.1.1
regenerator-runtime 0.14.0
regenerator-transform 0.15.2
regex-parser 2.2.11
regexp.prototype.flags 1.3.1
regexpu-core 5.3.2
regjsgen 0.2.0
regjsparser 0.9.1
relateurl 0.2.7
repeating 2.0.1
replace-ext 1.0.1
require-directory 2.1.1
require-from-string 2.0.2
requires-port 1.0.0
resolve 1.22.8
resolve-cwd 3.0.0
resolve-from 5.0.0
resolve-url 0.2.1
resolve-url-loader 3.1.5
retry 0.13.1
reusify 1.0.4
rework 1.0.1
rework-visit 1.0.0
rimraf 3.0.2
ripemd160 2.0.2
run-parallel 1.2.0
safe-buffer 5.2.1
safer-buffer 2.1.2
sass 1.69.5
sass-loader 10.4.1
schema-utils 4.2.0
select-hose 2.0.0
selfsigned 2.4.1
semver 7.5.4
send 0.18.0
serialize-javascript 6.0.1
serve-index 1.9.1
serve-static 1.15.0
setimmediate 1.0.5
setprototypeof 1.2.0
sha.js 2.4.11
shallow-clone 3.0.1
shebang-command 2.0.0
shebang-regex 3.0.0
shell-quote 1.8.1
shellwords 0.1.1
side-channel 1.0.4
signal-exit 3.0.7
slash 3.0.0
sockjs 0.3.24
source-list-map 2.0.1
source-map 0.7.4
source-map-js 1.0.2
source-map-resolve 0.5.3
source-map-support 0.5.21
source-map-url 0.4.1
spdy 4.0.2
spdy-transport 3.0.0
stable 0.1.8
statuses 2.0.1
std-env 3.4.3
stream-browserify 2.0.2
stream-http 2.8.3
string-width 4.2.3
string_decoder 1.3.0
strip-ansi 6.0.1
strip-final-newline 2.0.0
style-loader 2.0.0
style-mod 4.1.0
stylehacks 5.1.1
supports-color 8.1.1
supports-preserve-symlinks-flag 1.0.0
svgo 2.8.0
tapable 2.2.1
terser 5.24.0
terser-webpack-plugin 5.3.9
thunky 1.1.0
timers-browserify 2.0.12
to-arraybuffer 1.0.1
to-fast-properties 2.0.0
to-regex-range 5.0.1
toidentifier 1.0.1
tom-select 2.3.1
trim-right 1.0.1
ts-loader 9.5.0
tslib 2.6.2
tty-browserify 0.0.0
type 2.7.2
type-is 1.6.18
typescript 4.9.5
undici-types 5.26.5
unicode-canonical-property-names-ecmascript 2.0.0
unicode-match-property-ecmascript 2.0.0
unicode-match-property-value-ecmascript 2.1.0
unicode-property-aliases-ecmascript 2.1.0
universalify 2.0.1
unpipe 1.0.0
update-browserslist-db 1.0.13
uri-js 4.4.1
urix 0.1.0
url 0.11.3
util 0.11.1
util-deprecate 1.0.2
utils-merge 1.0.1
uuid 9.0.1
vary 1.1.2
vm-browserify 1.1.2
vue 2.7.15
vue-class-component 7.2.6
vue-hot-reload-api 2.3.4
vue-loader 15.11.1
vue-property-decorator 9.1.2
vue-style-loader 4.1.3
vue-template-compiler 2.7.15
critical: 0 high: 0 medium: 1 low: 0
Added vulnerabilities (1):
  • medium : CVE--2024--6783
vue-template-es2015-compiler 1.9.1
w3c-keyname 2.2.8
watchpack 2.4.0
wbuf 1.7.3
webpack 5.89.0
webpack-cli 4.10.0
webpack-dev-middleware 5.3.3
critical: 0 high: 1 medium: 0 low: 0
Added vulnerabilities (1):
  • high : CVE--2024--29180
webpack-dev-server 4.15.1
webpack-merge 5.10.0
webpack-notifier 1.15.0
webpack-sources 3.2.3
webpackbar 5.0.2
websocket-driver 0.7.4
websocket-extensions 0.1.4
which 2.0.2
wildcard 2.0.1
wrap-ansi 7.0.0
wrappy 1.0.2
ws 8.14.2
critical: 0 high: 1 medium: 0 low: 0
Added vulnerabilities (1):
  • high : CVE--2024--37890
xtend 4.0.2
y18n 5.0.8
yallist 4.0.0
yaml 1.10.2
yargs 17.7.2
yargs-parser 21.1.1
Changes for packages of type nuget (2 changes)
Package Version
ghcr.io/2pisoftware/cmfive:develop
Version
ghcr.io/2pisoftware/cmfive:pr-156
Notifu 1.7
notifu 1.7

Copy link

🔍 Vulnerabilities of ghcr.io/2pisoftware/cmfive:pr-156

📦 Image Reference ghcr.io/2pisoftware/cmfive:pr-156
digestsha256:9f97d35d6662d5ae9c0e78189d255811fba032664128d7517deaa5edc1d4e5dc
vulnerabilitiescritical: 1 high: 8 medium: 14 low: 0
size374 MB
packages1107
📦 Base Image alpine:3.19
also known as
  • 3.19.3
digestsha256:8d733e27df31ac40ec64633002a200a0aed5477866730e0bfeb8d2dec5d8e76a
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
critical: 1 high: 0 medium: 0 low: 0 babel-traverse 6.26.0 (npm)

pkg:npm/babel-traverse@6.26.0

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

critical 9.3: CVE--2023--45133 Incomplete List of Disallowed Inputs

Affected range<7.23.2
Fixed versionNot Fixed
CVSS Score9.3
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score0.06%
EPSS Percentile26th percentile
Description

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

  • @babel/plugin-transform-runtime
  • @babel/preset-env when using its useBuiltIns option
  • Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

  • Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.
  • If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
    • @babel/plugin-transform-runtime v7.23.2
    • @babel/preset-env v7.23.2
    • @babel/helper-define-polyfill-provider v0.4.3
    • babel-plugin-polyfill-corejs2 v0.4.6
    • babel-plugin-polyfill-corejs3 v0.8.5
    • babel-plugin-polyfill-es-shims v0.10.0
    • babel-plugin-polyfill-regenerator v0.5.3
critical: 0 high: 1 medium: 0 low: 0 setuptools 68.2.2 (pypi)

pkg:pypi/setuptools@68.2.2

# Dockerfile (100:100)
COPY /.codepipeline/docker/configs/fpm/ /etc/php81/

high 8.8: CVE--2024--6345 Improper Control of Generation of Code ('Code Injection')

Affected range<70.0.0
Fixed version70.0.0
CVSS Score8.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score0.04%
EPSS Percentile9th percentile
Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

critical: 0 high: 1 medium: 0 low: 0 webpack-dev-middleware 5.3.3 (npm)

pkg:npm/webpack-dev-middleware@5.3.3

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

high 7.4: CVE--2024--29180 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range<=5.3.3
Fixed version5.3.4
CVSS Score7.4
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score0.04%
EPSS Percentile14th percentile
Description

Summary

The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.

Details

The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory memfs filesystem.
If writeToDisk configuration option is set to true, the physical filesystem is used:
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/setupOutputFileSystem.js#L21

The getFilenameFromUrl method is used to parse URL and build the local file path.
The public path prefix is stripped from the URL, and the unsecaped path suffix is appended to the outputPath:
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82
As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use %2e and %2f sequences to perform path traversal attack.

PoC

A blank project can be created containing the following configuration file webpack.config.js:
module.exports = { devServer: { devMiddleware: { writeToDisk: true } } };

When started, it is possible to access any local file, e.g. /etc/passwd:
$ curl localhost:8080/public/..%2f..%2f..%2f..%2f../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin

Impact

The developers using webpack-dev-server or webpack-dev-middleware are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content (e.g. password, configuration files, private source code, ...).

If the development server is listening on a public IP address (or 0.0.0.0), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port).

If the server allows access from third-party domains (CORS, Allow-Access-Origin: * ), an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files.

Recommendation

The URL should be unescaped and normalized before any further processing.

critical: 0 high: 1 medium: 0 low: 0 twig/twig 3.3.10 (composer)

pkg:composer/twig/twig@3.3.10

# Dockerfile (123:123)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'

high 7.5: CVE--2022--39261 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range>=3.0.0
<3.4.3
Fixed version3.4.3
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score0.33%
EPSS Percentile71st percentile
Description

Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).

Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

critical: 0 high: 1 medium: 0 low: 0 py3-setuptools 68.2.2-r0 (apk)

pkg:apk/alpine/py3-setuptools@68.2.2-r0?os_name=alpine&os_version=3.19

# Dockerfile (100:100)
COPY /.codepipeline/docker/configs/fpm/ /etc/php81/

high : CVE--2024--6345

Affected range<70.3.0-r0
Fixed version70.3.0-r0
EPSS Score0.04%
EPSS Percentile9th percentile
Description
critical: 0 high: 1 medium: 0 low: 0 chart.js 2.5.0 (npm)

pkg:npm/chart.js@2.5.0

# Dockerfile (123:123)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'

high 7.5: CVE--2020--7746 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected range<2.9.4
Fixed version2.9.4
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score1.80%
EPSS Percentile88th percentile
Description

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

critical: 0 high: 1 medium: 0 low: 0 braces 3.0.2 (npm)

pkg:npm/braces@3.0.2

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

high 7.5: CVE--2024--4068 Excessive Platform Resource Consumption within a Loop

Affected range<3.0.3
Fixed version3.0.3
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.04%
EPSS Percentile16th percentile
Description

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

critical: 0 high: 1 medium: 0 low: 0 ws 8.14.2 (npm)

pkg:npm/ws@8.14.2

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

high 7.5: CVE--2024--37890 NULL Pointer Dereference

Affected range>=8.0.0
<8.17.1
Fixed version8.17.1
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.04%
EPSS Percentile14th percentile
Description

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

References

critical: 0 high: 1 medium: 0 low: 0 json5 0.5.1 (npm)

pkg:npm/json5@0.5.1

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

high 7.1: CVE--2022--46175 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected range<1.0.2
Fixed version1.0.2
CVSS Score7.1
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
EPSS Score0.67%
EPSS Percentile80th percentile
Description

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.

This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.

Impact

This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.

Mitigation

This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.

Details

Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using JSON5.parse, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:

const JSON5 = require('json5');

const doSomethingDangerous = (props) => {
  if (props.isAdmin) {
    console.log('Doing dangerous thing as admin.');
  } else {
    console.log('Doing dangerous thing as user.');
  }
};

const secCheckKeysSet = (obj, searchKeys) => {
  let searchKeyFound = false;
  Object.keys(obj).forEach((key) => {
    if (searchKeys.indexOf(key) > -1) {
      searchKeyFound = true;
    }
  });
  return searchKeyFound;
};

const props = JSON5.parse('{"foo": "bar"}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as user."
} else {
  throw new Error('Forbidden...');
}

If the user attempts to set the isAdmin key, their request will be rejected:

const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props);
} else {
  throw new Error('Forbidden...'); // Error: Forbidden...
}

However, users can instead set the __proto__ key to {"isAdmin": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:

const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
  throw new Error('Forbidden...');
}
critical: 0 high: 0 medium: 5 low: 0 jquery-ui 1.10.4 (npm)

pkg:npm/jquery-ui@1.10.4

# Dockerfile (123:123)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score0.45%
EPSS Percentile76th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score0.31%
EPSS Percentile70th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score0.28%
EPSS Percentile69th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score0.22%
EPSS Percentile61st percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score0.47%
EPSS Percentile76th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

critical: 0 high: 0 medium: 2 low: 0 follow-redirects 1.15.3 (npm)

pkg:npm/follow-redirects@1.15.3

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

medium 6.5: CVE--2024--28849 Exposure of Sensitive Information to an Unauthorized Actor

Affected range<=1.15.5
Fixed version1.15.6
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score0.04%
EPSS Percentile11th percentile
Description

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

Recommended Patch

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

medium 6.1: CVE--2023--26159 Improper Input Validation

Affected range<1.15.4
Fixed version1.15.4
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score0.05%
EPSS Percentile20th percentile
Description

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

critical: 0 high: 0 medium: 1 low: 0 postcss 7.0.39 (npm)

pkg:npm/postcss@7.0.39

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

medium 5.3: CVE--2023--44270 Improper Neutralization of Line Delimiters

Affected range<8.4.31
Fixed version8.4.31
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score0.05%
EPSS Percentile21st percentile
Description

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

critical: 0 high: 0 medium: 1 low: 0 vue-template-compiler 2.7.15 (npm)

pkg:npm/vue-template-compiler@2.7.15

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

medium 4.2: CVE--2024--6783 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range>=2.0.0
<3.0.0
Fixed version3.0.0
CVSS Score4.2
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score0.04%
EPSS Percentile9th percentile
Description

A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.

critical: 0 high: 0 medium: 1 low: 0 codemirror 4.4.0 (npm)

pkg:npm/codemirror@4.4.0

# Dockerfile (123:123)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'

medium 5.3: CVE--2020--7760 Uncontrolled Resource Consumption

Affected range<5.58.2
Fixed version5.58.2
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score1.71%
EPSS Percentile88th percentile
Description

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

critical: 0 high: 0 medium: 1 low: 0 quill 1.3.7 (npm)

pkg:npm/quill@1.3.7

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

medium 4.2: CVE--2021--3163 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<=1.3.7
Fixed versionNot Fixed
CVSS Score4.2
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score0.13%
EPSS Percentile48th percentile
Description

A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. No patch exists and no further releases are planned.

This CVE is disputed. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser. More information can be found here.

critical: 0 high: 0 medium: 1 low: 0 postcss 7.0.36 (npm)

pkg:npm/postcss@7.0.36

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

medium 5.3: CVE--2023--44270 Improper Neutralization of Line Delimiters

Affected range<8.4.31
Fixed version8.4.31
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score0.05%
EPSS Percentile21st percentile
Description

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

critical: 0 high: 0 medium: 1 low: 0 express 4.18.2 (npm)

pkg:npm/express@4.18.2

# Dockerfile (132:135)
COPY --chown=cmfive:cmfive \
    --from=core \
    /cmfive-core/system/templates/base/node_modules \
    system/templates/base/node_modules

medium 6.1: CVE--2024--29041 Improper Validation of Syntactic Correctness of Input

Affected range<4.19.2
Fixed version4.19.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score0.04%
EPSS Percentile11th percentile
Description

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

expressjs/express#5539
koajs/koa#1800
https://expressjs.com/en/4x/api.html#res.location

critical: 0 high: 0 medium: 1 low: 0 aws/aws-sdk-php 3.224.0 (composer)

pkg:composer/aws/aws-sdk-php@3.224.0

# Dockerfile (123:123)
RUN su cmfive -c 'INSTALL_ENV=docker php cmfive.php install core'

medium 6.0: CVE--2023--51651 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range<3.288.1
Fixed version3.288.1
CVSS Score6
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.04%
EPSS Percentile16th percentile
Description

Impact

Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in thebuildEndpoint method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The buildEndpoint method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed.

Versions of the AWS SDK for PHP v3 before 3.288.1 are affected by this issue.

Patches

Upgrade to the AWS SDK for PHP >= 3.288.1, if you are on version < 3.288.1.

References

RFC 3986 - https://datatracker.ietf.org/doc/html/rfc3986

For more information

If you have any questions or comments about this advisory, please contact AWS's Security team.

@mattbell87 mattbell87 merged commit d548905 into master Aug 15, 2024
7 checks passed
@mattbell87 mattbell87 deleted the fix/missing-node-modules branch August 15, 2024 01:42
mattbell87 added a commit that referenced this pull request Aug 15, 2024
fix: Missing node modules for theme (#156) [DEVELOP]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants