search

Vonage / vonage-media-transformers-samples

Vonage Media Transformers Examples
MIT License
3 stars 1 forks source link

noise-suppression-1.0.0-beta.9.tgz: 1 vulnerabilities (highest severity is: 6.1) - autoclosed #34

Closed mend-for-github-com[bot] closed 5 months ago

mend-for-github-com[bot] commented 6 months ago
Vulnerable Library - noise-suppression-1.0.0-beta.9.tgz

Path to dependency file: /noise-suppression/denoize-file/package.json

Path to vulnerable library: /noise-suppression/denoize-file/package.json

Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4

Oops, something went wrong. We couldn’t find a fix. Support token-de3013379a0444b592ba5013ad0d9f28

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (noise-suppression version) Fix PR available
CVE-2023-49293 Medium 6.1 vite-4.5.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-49293 ### Vulnerable Library - vite-4.5.0.tgz

Library home page: https://registry.npmjs.org/vite/-/vite-4.5.0.tgz

Path to dependency file: /noise-suppression/denoize-file/package.json

Path to vulnerable library: /noise-suppression/denoize-file/package.json

Dependency Hierarchy: - noise-suppression-1.0.0-beta.9.tgz (Root Library) - :x: **vite-4.5.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4

Found in base branch: main

### Vulnerability Details

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

Publish Date: 2023-12-04

URL: CVE-2023-49293

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97

Release Date: 2023-12-04

Fix Resolution: vite - 4.4.12,4.5.1,5.0.5

mend-for-github-com[bot] commented 5 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.