Lawlez / memepredict

predicts and publisher the latest trendy memes with the help of reddit API & fb Graph API
1 stars 0 forks source link

[DepShield] (CVSS 9.8) Vulnerability due to usage of handlebars:4.7.6 #203

Open sonatype-depshield[bot] opened 2 years ago

sonatype-depshield[bot] commented 2 years ago

Vulnerabilities

DepShield reports that this application's usage of handlebars:4.7.6 results in the following vulnerability(s):


Occurrences

handlebars:4.7.6 is a transitive dependency introduced by the following direct dependency(s):

react-scripts:3.1.1         └─ jest:24.8.0               └─ jest-cli:24.9.0                     └─ @jest/core:24.9.0                           └─ @jest/reporters:24.9.0                                 └─ istanbul-reports:2.2.6                                       └─ handlebars:4.7.6

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

secure-code-warrior-for-github[bot] commented 2 years ago

Micro-Learning Topic: Improper Control of Generation of Code ('Code Injection') (CWE 94)

Matched on "CWE-94"

What is this? (2min video)

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try this challenge in Secure Code Warrior