critical
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source - CVE-2021-23383
critical
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source - CVE-2021-23369
high
Axios is vulnerable to Inefficient Regular Expression Complexity CVE-2021-3749
medium
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability CVE-2020-28168
3- Moment.js (high)
The following version was identified as being out of date:
Version: moment.js v
Detected at: 2.27.0
Vulnerability Info:
high
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785
high
Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129
I have found the moment.min.js but couldn't find the other 2 libraries?
This version does includes backoffice dependencies upgrade and one of them is moment.js as came up in our scan. but no sure about the handlebars.min.js and axios.min.js.
OWASP scan vulnerability Detected
Hi,
We had recent OWASP scan for our site Umbraco v8.18.5 and there are few vulnerabilities detected by the scan.
1- Handlebars (critical)
The following version was identified as being out of date: Version: Handlebars v 4.7.6 Detected at: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.7.6/handlebars.min.js remote included
Vulnerability Info:
critical The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source - CVE-2021-23383
critical The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source - CVE-2021-23369
2- Axios (medium)
The following version was identified as being out of date: Version: Axios v 0.20.0 Detected at: https://cdnjs.cloudflare.com/ajax/libs/axios/0.20.0/axios.min.js Vulnerability Info:
high Axios is vulnerable to Inefficient Regular Expression Complexity CVE-2021-3749
medium Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability CVE-2020-28168
3- Moment.js (high)
The following version was identified as being out of date: Version: moment.js v Detected at: 2.27.0 Vulnerability Info:
high This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale. CVE-2022-24785
high Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4 CVE-2022-31129
I have found the moment.min.js but couldn't find the other 2 libraries?
Umbraco v8.18.6
I am not aware this version exists, latest v8 is 8.18.5 !
Thank you for pointing out and sorry for the confusion, i meant to say v8.18.5, i have edited the post.
Actually v8.18.6 is in the progress but release date is not yet determined. https://our.umbraco.com/download/releases/8186
This version does includes backoffice dependencies upgrade and one of them is moment.js as came up in our scan. but no sure about the handlebars.min.js and axios.min.js.
https://github.com/umbraco/Umbraco-CMS/pull/12919
not sure what those two are either I'm afraid
is working on a reply...