Version Details and Security Vulnerabilities

📦

gitbook-plugin-prism

0.1.1

Comparision Betweeen 0.1.1 and 0.1.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

gitbook-plugin-prism

0.1.1

Comparision Betweeen 0.1.1 and 0.1.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.1 of the package gitbook-plugin-prism.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.1 of the package

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash@3.10.1

Summary:

css-what vulnerable to ReDoS due to use of insecure regular expression

Details:

The package css-what before 2.1.3 is vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.

Details about css-what@1.0.0

Summary:

Inefficient Regular Expression Complexity in nth-check

Details:

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

Details about nth-check@1.0.2

Summary:

Regular Expression Denial of Service (ReDoS) in Prism

Details:

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

ASCIIDoc
ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

PrismJS/prism#2774
PrismJS/prism#2688

Details about prismjs@0.0.1

Summary:

Denial of service in prismjs

Details:

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Details about prismjs@0.0.1

Summary:

prismjs Regular Expression Denial of Service vulnerability

Details:

Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.

Details about prismjs@0.0.1

Summary:

PrismJS DOM Clobbering vulnerability

Details:

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Details about prismjs@0.0.1

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.1 of the package gitbook-plugin-prism.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.1 of the package

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

Recommendation

Update to version 4.17.12 or later.

Details about lodash@3.10.1

Summary:

Prototype Pollution in lodash

Details:

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash@3.10.1

Summary:

css-what vulnerable to ReDoS due to use of insecure regular expression

Details:

Details about css-what@1.0.0

Summary:

Inefficient Regular Expression Complexity in nth-check

Details:

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

Details about nth-check@1.0.2

Summary:

Regular Expression Denial of Service (ReDoS) in Prism

Details:

Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

ASCIIDoc
ERB

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

PrismJS/prism#2774
PrismJS/prism#2688

Details about prismjs@0.0.1

Summary:

Denial of service in prismjs

Details:

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Details about prismjs@0.0.1

Summary:

prismjs Regular Expression Denial of Service vulnerability

Details:

Details about prismjs@0.0.1

Summary:

PrismJS DOM Clobbering vulnerability

Details:

Details about prismjs@0.0.1

Version Details and Security Vulnerabilities

gitbook-plugin-prism

Comparision Betweeen 0.1.1 and 0.1.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

gitbook-plugin-prism

Comparision Betweeen 0.1.1 and 0.1.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Recommendation

Recommendation

Recommendation

Impact

Patches

References

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Recommendation

Recommendation

Recommendation

Impact

Patches

References

Version Details and Security Vulnerabilities

gitbook-plugin-prism

Comparision Betweeen 0.1.1 and 0.1.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

gitbook-plugin-prism

Comparision Betweeen 0.1.1 and 0.1.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

lodash@3.10.1 GHSA-35jh-r3h4-6jhm 7.2

lodash@3.10.1 GHSA-4xc9-xhrj-v574 N/A

Recommendation

lodash@3.10.1 GHSA-fvqr-27wr-82fm 6.5

Recommendation

lodash@3.10.1 GHSA-jf85-cpcp-j695 9.1

Recommendation

lodash@3.10.1 GHSA-p6mc-m468-83gw 7.4

css-what@1.0.0 GHSA-p28h-cc7q-c4fg 7.5

nth-check@1.0.2 GHSA-rp65-9cf3-cjxr 7.5

prismjs@0.0.1 GHSA-gj77-59wh-66hg 7.4

Impact

Patches

References

prismjs@0.0.1 GHSA-h4hr-7fg3-h35w N/A

prismjs@0.0.1 GHSA-hqhp-5p83-hx96 6.5

prismjs@0.0.1 GHSA-x7hr-w5r2-h6wg 4.9

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

lodash@3.10.1 GHSA-35jh-r3h4-6jhm 7.2

lodash@3.10.1 GHSA-4xc9-xhrj-v574 N/A

Recommendation

lodash@3.10.1 GHSA-fvqr-27wr-82fm 6.5

Recommendation

lodash@3.10.1 GHSA-jf85-cpcp-j695 9.1

Recommendation

lodash@3.10.1 GHSA-p6mc-m468-83gw 7.4

css-what@1.0.0 GHSA-p28h-cc7q-c4fg 7.5

nth-check@1.0.2 GHSA-rp65-9cf3-cjxr 7.5

prismjs@0.0.1 GHSA-gj77-59wh-66hg 7.4

Impact

Patches

References

prismjs@0.0.1 GHSA-h4hr-7fg3-h35w N/A

prismjs@0.0.1 GHSA-hqhp-5p83-hx96 6.5

prismjs@0.0.1 GHSA-x7hr-w5r2-h6wg 4.9