typedoc-0.5.3.tgz: 22 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - typedoc-0.5.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (typedoc version)	Remediation Possible**
CVE-2019-19919	Critical	9.8	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
CVE-2019-20920	High	8.1	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
WS-2020-0450	High	7.5	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
CVE-2022-3517	High	7.5	minimatch-3.0.3.tgz	Transitive	N/A*	❌
CVE-2022-21681	High	7.5	marked-0.3.6.tgz	Transitive	0.21.10	✅
CVE-2022-21680	High	7.5	marked-0.3.6.tgz	Transitive	0.21.10	✅
CVE-2019-20922	High	7.5	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
CVE-2017-18077	High	7.5	brace-expansion-1.1.6.tgz	Transitive	0.5.4	✅
CVE-2017-16114	High	7.5	marked-0.3.6.tgz	Transitive	0.5.4	✅
WS-2019-0064	High	7.3	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
CVE-2022-0144	High	7.1	shelljs-0.7.5.tgz	Transitive	0.10.0	✅
WS-2019-0026	Medium	6.1	marked-0.3.6.tgz	Transitive	0.5.4	✅
WS-2019-0025	Medium	6.1	marked-0.3.6.tgz	Transitive	0.5.4	✅
WS-2020-0163	Medium	5.9	marked-0.3.6.tgz	Transitive	0.18.0	✅
WS-2019-0103	Medium	5.6	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
CVE-2021-23383	Medium	5.6	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
CVE-2021-23369	Medium	5.6	handlebars-4.0.5.tgz	Transitive	0.6.0	✅
CVE-2017-16032	Medium	5.5	brace-expansion-1.1.6.tgz	Transitive	0.5.4	✅
WS-2020-0208	Medium	5.3	highlight.js-9.9.0.tgz	Transitive	0.17.5	✅
WS-2019-0027	Medium	5.3	marked-0.3.6.tgz	Transitive	0.5.4	✅
WS-2018-0628	Medium	5.3	marked-0.3.6.tgz	Transitive	0.12.0	✅
CVE-2017-1000427	Low	3.7	marked-0.3.6.tgz	Transitive	0.5.4	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-19919

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-w457-6q6x-cgp9

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-20920

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2020-0450

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).

Publish Date: 2020-01-09

URL: WS-2020-0450

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-01-09

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2022-3517

### Vulnerable Library - minimatch-3.0.3.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/minimatch

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **minimatch-3.0.3.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2022-21681

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (typedoc): 0.21.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2022-21680

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (typedoc): 0.21.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-20922

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources. Mend Note: Converted from WS-2019-0491, on 2022-11-08.

Publish Date: 2020-09-30

URL: CVE-2019-20922

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2017-18077

### Vulnerable Library - brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/brace-expansion

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - minimatch-3.0.3.tgz - :x: **brace-expansion-1.1.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters. Mend Note: Converted from WS-2017-0206, on 2022-11-08.

Publish Date: 2022-10-03

URL: CVE-2017-18077

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077

Release Date: 2022-10-03

Fix Resolution (brace-expansion): 1.1.7

Direct dependency fix Resolution (typedoc): 0.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2017-16114

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

Publish Date: 2018-04-26

URL: CVE-2017-16114

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/531/versions

Release Date: 2018-04-26

Fix Resolution (marked): 0.3.9

Direct dependency fix Resolution (typedoc): 0.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0064

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.14

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2022-0144

### Vulnerable Library - shelljs-0.7.5.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.7.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/shelljs

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **shelljs-0.7.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-01-11

Fix Resolution (shelljs): 0.8.5

Direct dependency fix Resolution (typedoc): 0.10.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0026

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions 0.3.7 and earlier of marked suuport unescaping of only lowercase, which may lead to XSS.

Publish Date: 2017-12-23

URL: WS-2019-0026

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-12-23

Fix Resolution (marked): 0.3.9

Direct dependency fix Resolution (typedoc): 0.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0025

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href are vulnerable to XSS, which allows an attacker to inject arbitrary code.

Publish Date: 2017-12-23

URL: WS-2019-0025

### CVSS 3 Score Details (6.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-12-23

Fix Resolution (marked): 0.3.9

Direct dependency fix Resolution (typedoc): 0.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2020-0163

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (marked): 1.1.1

Direct dependency fix Resolution (typedoc): 0.18.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0103

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)

Publish Date: 2019-01-30

URL: WS-2019-0103

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.13

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-23383

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-23369

### Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/handlebars

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **handlebars-4.0.5.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (typedoc): 0.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2017-16032

### Vulnerable Library - brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/brace-expansion

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - minimatch-3.0.3.tgz - :x: **brace-expansion-1.1.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

brace-expansion before 1.1.7 are vulnerable to a regular expression denial of service.

Publish Date: 2020-07-21

URL: CVE-2017-16032

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/338

Release Date: 2020-07-21

Fix Resolution (brace-expansion): 1.1.7

Direct dependency fix Resolution (typedoc): 0.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2020-0208

### Vulnerable Library - highlight.js-9.9.0.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.9.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/highlight.js

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **highlight.js-9.9.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-12-04

Fix Resolution (highlight.js): 10.4.1

Direct dependency fix Resolution (typedoc): 0.17.5

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0027

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.

Publish Date: 2018-02-26

URL: WS-2019-0027

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2018-02-26

Fix Resolution (marked): 0.3.18

Direct dependency fix Resolution (typedoc): 0.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2018-0628

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2018-04-16

Fix Resolution (marked): 0.4.0

Direct dependency fix Resolution (typedoc): 0.12.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2017-1000427

### Vulnerable Library - marked-0.3.6.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.6.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/marked

Dependency Hierarchy: - typedoc-0.5.3.tgz (Root Library) - :x: **marked-0.3.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

Publish Date: 2018-01-02

URL: CVE-2017-1000427

### CVSS 3 Score Details (3.7)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427

Release Date: 2018-01-02

Fix Resolution (marked): 0.3.7

Direct dependency fix Resolution (typedoc): 0.5.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

snowdensb / dependabot-core

typedoc-0.5.3.tgz: 22 vulnerabilities (highest severity is: 9.8) - autoclosed #1081

Vulnerabilities

Details