Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix/security issues #978

Merged
merged 5 commits into from
Mar 29, 2021
Merged

fix/security issues #978

merged 5 commits into from
Mar 29, 2021

Conversation

maestart
Copy link

  1. CVE-2020-28458 - Prototype Pollution in datatables package. Fixed because datatables is direct dependency of webapp. Replaced by datatables.net, with path changes.
  2. CVE-2020-28458 - same problem but for sub-dependency of datatables.net-bs. Fixed by updating patch version of datatables.net-bs.
  3. CVE-2018-19057 - XSS in simplemde package, part of covalent/text-editor that used as JSF plugin for implement markdown editor fields. Reproduced by sample from here. Fixed by detect onerror attribute assignment and remove it, async call required by package options api (no possibility for fix by package update or by use npm force-resolutions). Fix not affected markdown preview appearance.

@andrewkikot andrewkikot merged commit a0cf751 into master Mar 29, 2021
@major13ua major13ua deleted the fix/security-issues branch April 25, 2022 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkikot andrewkikot andrewkikot approved these changes

@sergeysenja1992 sergeysenja1992 sergeysenja1992 approved these changes

@ishkurko ishkurko Awaiting requested review from ishkurko

@Kaskyi Kaskyi Awaiting requested review from Kaskyi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@maestart @sergeysenja1992 @andrewkikot @actions-user