browser-sync-2.26.3.tgz: 33 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - browser-sync-2.26.3.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (browser-sync version)	Remediation Available
CVE-2019-10747	High	9.8	detected in multiple dependencies	Transitive	2.26.4	✅
CVE-2019-10746	High	9.8	mixin-deep-1.3.1.tgz	Transitive	2.26.4	✅
CVE-2020-15256	High	9.8	object-path-0.9.2.tgz	Transitive	2.26.4	✅
CVE-2020-7774	High	9.8	y18n-3.2.1.tgz	Transitive	2.26.4	✅
CVE-2021-23440	High	9.8	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2021-31597	High	9.4	xmlhttprequest-ssl-1.5.5.tgz	Transitive	2.26.14-y.1	✅
CVE-2019-10744	High	9.1	lodash-4.17.11.tgz	Transitive	2.26.4	✅
CVE-2021-23434	High	8.6	object-path-0.9.2.tgz	Transitive	2.26.4	✅
CVE-2020-28502	High	8.1	xmlhttprequest-ssl-1.5.5.tgz	Transitive	2.26.14-y.1	✅
WS-2020-0443	High	8.1	socket.io-2.1.1.tgz	Transitive	2.26.14-y.1	✅
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	2.26.4	✅
CVE-2020-28469	High	7.5	detected in multiple dependencies	Transitive	2.26.9	✅
CVE-2019-10742	High	7.5	axios-0.17.1.tgz	Transitive	2.26.6	✅
CVE-2021-27292	High	7.5	ua-parser-js-0.7.17.tgz	Transitive	2.26.9	✅
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	2.26.4	✅
CVE-2020-7733	High	7.5	ua-parser-js-0.7.17.tgz	Transitive	2.26.9	✅
CVE-2021-3749	High	7.5	axios-0.17.1.tgz	Transitive	2.26.6	✅
CVE-2021-3805	High	7.5	object-path-0.9.2.tgz	Transitive	2.26.4	✅
CVE-2020-7793	High	7.5	ua-parser-js-0.7.17.tgz	Transitive	2.26.9	✅
CVE-2022-24999	High	7.5	qs-6.2.3.tgz	Transitive	2.27.11	✅
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2020-36048	High	7.5	engine.io-3.2.1.tgz	Transitive	2.27.10	✅
CVE-2020-36049	High	7.5	detected in multiple dependencies	Transitive	2.26.4	✅
CVE-2020-8203	High	7.4	lodash-4.17.11.tgz	Transitive	2.26.4	✅
CVE-2021-23337	High	7.2	lodash-4.17.11.tgz	Transitive	2.26.4	✅
CVE-2022-0155	Medium	6.5	follow-redirects-1.5.10.tgz	Transitive	2.26.4	✅
CVE-2022-41940	Medium	6.5	engine.io-3.2.1.tgz	Transitive	2.27.10	✅
CVE-2022-0536	Medium	5.9	follow-redirects-1.5.10.tgz	Transitive	2.26.4	✅
CVE-2020-28168	Medium	5.9	axios-0.17.1.tgz	Transitive	2.26.9	✅
CVE-2020-28500	Medium	5.3	lodash-4.17.11.tgz	Transitive	2.26.4	✅
CVE-2021-32640	Medium	5.3	ws-6.1.2.tgz	Transitive	2.26.4	✅
CVE-2020-7608	Medium	5.3	yargs-parser-4.2.1.tgz	Transitive	2.26.9	✅
CVE-2020-28481	Medium	4.3	socket.io-2.1.1.tgz	Transitive	2.26.14-y.1	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2019-10747

### Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

### set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/set-value/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - cache-base-1.0.1.tgz - :x: **set-value-2.0.0.tgz** (Vulnerable Library) ### set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - cache-base-1.0.1.tgz - union-value-1.0.0.tgz - :x: **set-value-0.4.3.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-10-29

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (browser-sync): 2.26.4

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2019-10746

### Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/mixin-deep/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - :x: **mixin-deep-1.3.1.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2020-15256

### Vulnerable Library - object-path-0.9.2.tgz

Access deep properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/object-path/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - eazy-logger-3.0.2.tgz - tfunk-3.1.0.tgz - :x: **object-path-0.9.2.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2020-7774

### Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/y18n/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - yargs-6.4.0.tgz - :x: **y18n-3.2.1.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2021-23440

### Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

### set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - base-0.11.2.tgz - cache-base-1.0.1.tgz - union-value-1.0.0.tgz - :x: **set-value-0.4.3.tgz** (Vulnerable Library) ### set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/set-value/package.json

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.

Publish Date: 2021-09-12

URL: CVE-2021-23440

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/

Release Date: 2021-09-12

Fix Resolution: set-value - 2.0.1,4.0.1

CVE-2021-31597

### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - browser-sync-ui-2.26.2.tgz - socket.io-client-2.2.0.tgz - engine.io-client-3.3.1.tgz - :x: **xmlhttprequest-ssl-1.5.5.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

### CVSS 3 Score Details (9.4)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (browser-sync): 2.26.14-y.1

In order to enable automatic remediation, please create workflow rules

CVE-2019-10744

### Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/lodash/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - easy-extender-2.3.4.tgz - :x: **lodash-4.17.11.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2021-23434

### Vulnerable Library - object-path-0.9.2.tgz

Access deep properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/object-path/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - eazy-logger-3.0.2.tgz - tfunk-3.1.0.tgz - :x: **object-path-0.9.2.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

Publish Date: 2021-08-27

URL: CVE-2021-23434

### CVSS 3 Score Details (8.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434

Release Date: 2021-08-27

Fix Resolution (object-path): 0.11.6

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2020-28502

### Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/xmlhttprequest-ssl/package.json

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (browser-sync): 2.26.14-y.1

In order to enable automatic remediation, please create workflow rules

WS-2020-0443

### Vulnerable Library - socket.io-2.1.1.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/socket.io/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **socket.io-2.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".

Publish Date: 2020-02-20

URL: WS-2020-0443

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/931197

Release Date: 2020-02-20

Fix Resolution (socket.io): 2.4.0

Direct dependency fix Resolution (browser-sync): 2.26.14-y.1

In order to enable automatic remediation, please create workflow rules

CVE-2019-20149

### Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/kind-of/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - anymatch-2.0.0.tgz - micromatch-3.1.10.tgz - :x: **kind-of-6.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2020-28469

### Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-2.0.0.tgz

### glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/glob-parent/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library) ### glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/glob-base/node_modules/glob-parent/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - micromatch-2.3.11.tgz - parse-glob-3.0.4.tgz - glob-base-0.3.0.tgz - :x: **glob-parent-2.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (browser-sync): 2.26.9

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (browser-sync): 2.26.9

In order to enable automatic remediation, please create workflow rules

CVE-2019-10742

### Vulnerable Library - axios-0.17.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.17.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/axios/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - localtunnel-1.9.1.tgz - :x: **axios-0.17.1.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-42xw-2xvc-qx8m

Release Date: 2019-05-07

Fix Resolution (axios): 0.18.1

Direct dependency fix Resolution (browser-sync): 2.26.6

In order to enable automatic remediation, please create workflow rules

CVE-2021-27292

### Vulnerable Library - ua-parser-js-0.7.17.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **ua-parser-js-0.7.17.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: 2021-03-17

URL: CVE-2021-27292

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-03-17

Fix Resolution (ua-parser-js): 0.7.25

Direct dependency fix Resolution (browser-sync): 2.26.9

In order to enable automatic remediation, please create workflow rules

CVE-2022-38900

### Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/decode-uri-component/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - chokidar-2.0.4.tgz - braces-2.3.2.tgz - snapdragon-0.8.2.tgz - source-map-resolve-0.5.2.tgz - :x: **decode-uri-component-0.2.0.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2020-7733

### Vulnerable Library - ua-parser-js-0.7.17.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **ua-parser-js-0.7.17.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (browser-sync): 2.26.9

In order to enable automatic remediation, please create workflow rules

CVE-2021-3749

### Vulnerable Library - axios-0.17.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.17.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/axios/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - localtunnel-1.9.1.tgz - :x: **axios-0.17.1.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/

Release Date: 2021-08-31

Fix Resolution (axios): 0.18.1

Direct dependency fix Resolution (browser-sync): 2.26.6

In order to enable automatic remediation, please create workflow rules

CVE-2021-3805

### Vulnerable Library - object-path-0.9.2.tgz

Access deep properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/object-path/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - eazy-logger-3.0.2.tgz - tfunk-3.1.0.tgz - :x: **object-path-0.9.2.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-17

URL: CVE-2021-3805

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/

Release Date: 2021-09-17

Fix Resolution (object-path): 0.11.8

Direct dependency fix Resolution (browser-sync): 2.26.4

In order to enable automatic remediation, please create workflow rules

CVE-2020-7793

### Vulnerable Library - ua-parser-js-0.7.17.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/ua-parser-js/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **ua-parser-js-0.7.17.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: 2020-12-11

URL: CVE-2020-7793

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution (ua-parser-js): 0.7.23

Direct dependency fix Resolution (browser-sync): 2.26.9

In order to enable automatic remediation, please create workflow rules

CVE-2022-24999

### Vulnerable Library - qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/qs/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - :x: **qs-6.2.3.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.2.4

Direct dependency fix Resolution (browser-sync): 2.27.11

In order to enable automatic remediation, please create workflow rules

CVE-2022-3517

### Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/minimatch/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - resp-modifier-6.0.2.tgz - :x: **minimatch-3.0.4.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2020-36048

### Vulnerable Library - engine.io-3.2.1.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.2.1.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/engine.io/package.json

Dependency Hierarchy: - browser-sync-2.26.3.tgz (Root Library) - socket.io-2.1.1.tgz - :x: **engine.io-3.2.1.tgz** (Vulnerable Library)

Found in HEAD commit: fbca9ba603e60373d9b92714517262109b92e2bc

Found in base branch: master

### Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-08

URL: CVE-2020-36048

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-08

Fix Resolution (engine.io): 3.6.0

Direct dependency fix Resolution (browser-sync): 2.27.10

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

Dima2021 / WebGoat_8.1.0

browser-sync-2.26.3.tgz: 33 vulnerabilities (highest severity is: 9.8) - autoclosed #17

Vulnerabilities

Details