From c9470917836077a2e185d505faf8b7e23b2cea5c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 21 Mar 2025 12:03:03 +0000 Subject: [PATCH] Preparing for v4.11.0 release. --- package.json | 2 +- retire-js/RetireJsVulns.json | 69 ++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index d6ed9833f..0653241e5 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@salesforce/sfdx-scanner", "description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.", - "version": "4.10.0", + "version": "4.11.0", "author": "Salesforce Code Analyzer Team", "bugs": "https://github.com/forcedotcom/sfdx-scanner/issues", "dependencies": { diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json index 83635da4f..e52816ab9 100644 --- a/retire-js/RetireJsVulns.json +++ b/retire-js/RetireJsVulns.json @@ -4482,6 +4482,30 @@ "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc", "https://github.com/cure53/DOMPurify" ] + }, + { + "atOrAbove": "0", + "below": "3.2.4", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "DOMPurify allows Cross-site Scripting (XSS)", + "CVE": [ + "CVE-2025-26791" + ], + "githubID": "GHSA-vhxf-7vqr-mrjg" + }, + "info": [ + "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg", + "https://nvd.nist.gov/vuln/detail/CVE-2025-26791", + "https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02", + "https://ensy.zip/posts/dompurify-323-bypass", + "https://github.com/cure53/DOMPurify", + "https://github.com/cure53/DOMPurify/releases/tag/3.2.4", + "https://nsysean.github.io/posts/dompurify-323-bypass" + ] } ], "extractors": { @@ -6142,6 +6166,30 @@ "https://github.com/axios/axios/releases/tag/v1.7.4", "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html" ] + }, + { + "atOrAbove": "0", + "below": "1.8.2", + "cwe": [ + "CWE-918" + ], + "severity": "high", + "identifiers": { + "summary": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", + "CVE": [ + "CVE-2025-27152" + ], + "githubID": "GHSA-jr5f-v2jv-69x6" + }, + "info": [ + "https://github.com/advisories/GHSA-jr5f-v2jv-69x6", + "https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6", + "https://nvd.nist.gov/vuln/detail/CVE-2025-27152", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f", + "https://github.com/axios/axios", + "https://github.com/axios/axios/releases/tag/v1.8.2" + ] } ], "extractors": { @@ -7128,6 +7176,27 @@ "https://froala.com/wysiwyg-editor/changelog/#4.1.4", "https://github.com/advisories/GHSA-hvpq-7vcc-5hj5" ] + }, + { + "atOrAbove": "0", + "below": "4.3.1", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "Froala WYSIWYG editor allows cross-site scripting (XSS)", + "CVE": [ + "CVE-2024-51434" + ], + "githubID": "GHSA-549p-5c7f-c5p4" + }, + "info": [ + "https://github.com/advisories/GHSA-549p-5c7f-c5p4", + "https://nvd.nist.gov/vuln/detail/CVE-2024-51434", + "https://georgyg.com/home/froala-wysiwyg-editor---xss-cve-2024-51434", + "https://github.com/froala/wysiwyg-editor" + ] } ], "extractors": {