418sec · benharvie · Aug 14, 2020 · Aug 10, 2020 · Aug 10, 2020 · Aug 11, 2020
diff --git a/bounties/npm/angular-redactor/1/README.md b/bounties/npm/angular-redactor/1/README.md
@@ -0,0 +1,3 @@
+# Overview
+
+`angular-redactor` is an angular directive for the Redactor editor, this package is vulnerable to Cross-site Scripting (XSS) attacks when HTML content mode is used.
diff --git a/bounties/npm/angular-redactor/1/bounty.json b/bounties/npm/angular-redactor/1/bounty.json
@@ -0,0 +1,7 @@
+{
+	"ForkURL": "",
+	"Bounty": {
+		"Credit": 650,
+		"Cash": 25
+	}
+}
diff --git a/bounties/npm/angular-redactor/1/vulnerability.json b/bounties/npm/angular-redactor/1/vulnerability.json
@@ -0,0 +1,49 @@
+{
+	"PackageVulnerabilityID": 1,
+	"DisclosureDate": "2020-08-10",
+	"AffectedVersionRange": "*",
+	"Summary": "Cross-site Scripting (XSS)",
+	"Contributor": {
+		"Discloser": "",
+		"Fixer": ""
+	},
+	"Package": {
+		"Registry": "npm",
+		"Name": "angular-redactor",
+		"URL": "https://www.npmjs.com/package/angular-redactor",
+		"Downloads": "77682"
+	},
+	"CWEs": [{
+		"ID": "CWE-79",
+		"Description": ""
+	}],
+	"CVSS": {
+		"Version": "3.1",
+		"AV": "N",
+		"AC": "L",
+		"PR": "N",
+		"UI": "R",
+		"S": "U",
+		"C": "H",
+		"I": "N",
+		"A": "N",
+		"E": "",
+		"RL": "",
+		"RC": "",
+		"Score": "6.5"
+	},
+	"CVEs": [
+		"CVE-2018-13339"
+	],
+	"Repository": {
+		"URL": "https://github.com/TylerGarlick/angular-redactor",
+		"Codebase": [
+			"JavaScript"
+		]
+	},
+	"Permalinks": [],
+	"References": [{
+		"Description": "GitHub Issue",
+		"URL": "https://github.com/TylerGarlick/angular-redactor/issues/77"
+	}]
+}
diff --git a/bounties/npm/hexo-admin/1/README.md b/bounties/npm/hexo-admin/1/README.md
@@ -0,0 +1,5 @@
+# Overview
+
+`hexo-admin` is a Admin Interface for Hexo, this package are vulnerable to Cross-site Scripting (XSS).
+
+It fails to sanitize rendered markdown, allowing attackers to execute arbitrary JavaScript code in a browser when they create a new post.
diff --git a/bounties/npm/hexo-admin/1/bounty.json b/bounties/npm/hexo-admin/1/bounty.json
@@ -0,0 +1,7 @@
+{
+	"ForkURL": "",
+	"Bounty": {
+		"Credit": 650,
+		"Cash": 25
+	}
+}
diff --git a/bounties/npm/hexo-admin/1/vulnerability.json b/bounties/npm/hexo-admin/1/vulnerability.json
@@ -0,0 +1,54 @@
+{
+	"PackageVulnerabilityID": 1,
+	"DisclosureDate": "2020-08-10",
+	"AffectedVersionRange": "*",
+	"Summary": "Cross-site Scripting (XSS)",
+	"Contributor": {
+		"Discloser": "Chintan",
+		"Fixer": ""
+	},
+	"Package": {
+		"Registry": "npm",
+		"Name": "hexo-admin",
+		"URL": "https://www.npmjs.com/package/hexo-admin",
+		"Downloads": "22903"
+	},
+	"CWEs": [{
+		"ID": "CWE-79",
+		"Description": ""
+	}],
+	"CVSS": {
+		"Version": "3.1",
+		"AV": "N",
+		"AC": "L",
+		"PR": "N",
+		"UI": "R",
+		"S": "U",
+		"C": "H",
+		"I": "N",
+		"A": "N",
+		"E": "",
+		"RL": "",
+		"RC": "",
+		"Score": "6.5"
+	},
+	"CVEs": [
+		""
+	],
+	"Repository": {
+		"URL": "https://github.com/jaredly/hexo-admin",
+		"Codebase": [
+			"JavaScript"
+		]
+	},
+	"Permalinks": [],
+	"References": [{
+			"Description": "GitHub Issue",
+			"URL": "https://github.com/jaredly/hexo-admin/issues/185"
+		},
+		{
+			"Description": "www.npmjs.com",
+			"URL": "https://www.npmjs.com/advisories/1211"
+		}
+	]
+}
diff --git a/bounties/npm/jquery-confirm/1/README.md b/bounties/npm/jquery-confirm/1/README.md
@@ -0,0 +1,12 @@
+# Overview
+
+`jquery-confirm` is a multipurpose plugin for jquery alert, confirm & dialog.
+
+This package is vulnerable to Cross-site Scripting (XSS), HTML can be injected via. `setIcon` and `closeIconClass`.
+
+# Proof of Concept
+
+```
+// This shows succesful script execution: alert(0) is executed:
+$.confirm().setIcon('"><img src onerror="alert(0)"><"')
+```
diff --git a/bounties/npm/jquery-confirm/1/bounty.json b/bounties/npm/jquery-confirm/1/bounty.json
@@ -0,0 +1,7 @@
+{
+	"ForkURL": "",
+	"Bounty": {
+		"Credit": 630,
+		"Cash": 25
+	}
+}
diff --git a/bounties/npm/jquery-confirm/1/vulnerability.json b/bounties/npm/jquery-confirm/1/vulnerability.json
@@ -0,0 +1,49 @@
+{
+	"PackageVulnerabilityID": 1,
+	"DisclosureDate": "2020-08-10",
+	"AffectedVersionRange": "*",
+	"Summary": "Cross-site Scripting (XSS)",
+	"Contributor": {
+		"Discloser": "Rob--W",
+		"Fixer": ""
+	},
+	"Package": {
+		"Registry": "npm",
+		"Name": "jquery-confirm",
+		"URL": "https://www.npmjs.com/package/jquery-confirm",
+		"Downloads": "247261"
+	},
+	"CWEs": [{
+		"ID": "CWE-79",
+		"Description": ""
+	}],
+	"CVSS": {
+		"Version": "3.1",
+		"AV": "N",
+		"AC": "L",
+		"PR": "N",
+		"UI": "R",
+		"S": "U",
+		"C": "L",
+		"I": "L",
+		"A": "L",
+		"E": "",
+		"RL": "",
+		"RC": "",
+		"Score": "6.3"
+	},
+	"CVEs": [
+		""
+	],
+	"Repository": {
+		"URL": "https://github.com/craftpip/jquery-confirm",
+		"Codebase": [
+			"JavaScript"
+		]
+	},
+	"Permalinks": [],
+	"References": [{
+		"Description": "GitHub Issue",
+		"URL": "https://github.com/craftpip/jquery-confirm/issues/508"
+	}]
+}
diff --git a/bounties/npm/node-dns-sync/1/README.md b/bounties/npm/node-dns-sync/1/README.md
@@ -0,0 +1,3 @@
+# Overview
+
+`dns-sync` is a dns resolver implemented in Node.js, This package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
diff --git a/bounties/npm/node-dns-sync/1/bounty.json b/bounties/npm/node-dns-sync/1/bounty.json
@@ -0,0 +1,7 @@
+{
+	"ForkURL": "",
+	"Bounty": {
+		"Credit": 530,
+		"Cash": 25
+	}
+}
diff --git a/bounties/npm/node-dns-sync/1/vulnerability.json b/bounties/npm/node-dns-sync/1/vulnerability.json
@@ -0,0 +1,49 @@
+{
+	"PackageVulnerabilityID": 1,
+	"DisclosureDate": "2020-08-10",
+	"AffectedVersionRange": "*",
+	"Summary": "Regular Expression Denial of Service (ReDoS)",
+	"Contributor": {
+		"Discloser": "Cristian-Alexandru Staicu",
+		"Fixer": ""
+	},
+	"Package": {
+		"Registry": "npm",
+		"Name": "dns-sync",
+		"URL": "https://www.npmjs.com/package/dns-sync",
+		"Downloads": "654853"
+	},
+	"CWEs": [{
+		"ID": "CWE-400",
+		"Description": ""
+	}],
+	"CVSS": {
+		"Version": "3.1",
+		"AV": "N",
+		"AC": "L",
+		"PR": "N",
+		"UI": "N",
+		"S": "U",
+		"C": "N",
+		"I": "N",
+		"A": "L",
+		"E": "",
+		"RL": "",
+		"RC": "",
+		"Score": "5.3"
+	},
+	"CVEs": [
+		"CVE-2017-16100"
+	],
+	"Repository": {
+		"URL": "https://https://github.com/skoranga/node-dns-sync",
+		"Codebase": [
+			"JavaScript"
+		]
+	},
+	"Permalinks": [],
+	"References": [{
+		"Description": "GitHub Issue",
+		"URL": "https://github.com/skoranga/node-dns-sync/issues/5"
+	}]
+}
diff --git a/bounties/npm/squel/1/README.md b/bounties/npm/squel/1/README.md
@@ -0,0 +1,12 @@
+# Overview
+
+`squel` is a SQL query string builder, this package is vulnerable to SQL Injection.
+
+The package does not properly escape user provided input when provided using the `setFields` method. This could lead to SQL injection (SQLi) if the query was then executed.
+
+# Proof of Concept
+
+```
+> console.log(squel.insert().into('buh').setFields({foo: "bar'baz"}).toString());
+INSERT INTO buh (foo) VALUES ('bar\'baz')
+```
diff --git a/bounties/npm/squel/1/bounty.json b/bounties/npm/squel/1/bounty.json
@@ -0,0 +1,7 @@
+{
+	"ForkURL": "",
+	"Bounty": {
+		"Credit": 630,
+		"Cash": 25
+	}
+}
diff --git a/bounties/npm/squel/1/vulnerability.json b/bounties/npm/squel/1/vulnerability.json
@@ -0,0 +1,49 @@
+{
+	"PackageVulnerabilityID": 1,
+	"DisclosureDate": "2020-08-10",
+	"AffectedVersionRange": "*",
+	"Summary": "SQL Injection",
+	"Contributor": {
+		"Discloser": "Sean Lynch",
+		"Fixer": ""
+	},
+	"Package": {
+		"Registry": "npm",
+		"Name": "squel",
+		"URL": "https://www.npmjs.com/package/squel",
+		"Downloads": "2132650"
+	},
+	"CWEs": [{
+		"ID": "CWE-89",
+		"Description": ""
+	}],
+	"CVSS": {
+		"Version": "3.1",
+		"AV": "N",
+		"AC": "L",
+		"PR": "L",
+		"UI": "N",
+		"S": "U",
+		"C": "L",
+		"I": "L",
+		"A": "L",
+		"E": "",
+		"RL": "",
+		"RC": "",
+		"Score": "6.3"
+	},
+	"CVEs": [
+		""
+	],
+	"Repository": {
+		"URL": "https://github.com/hiddentao/squel",
+		"Codebase": [
+			"JavaScript"
+		]
+	},
+	"Permalinks": [],
+	"References": [{
+		"Description": "GitHub Issue",
+		"URL": "https://github.com/hiddentao/squel/issues/350"
+	}]
+}
diff --git a/bounties/npm/web3.js/1/README.md b/bounties/npm/web3.js/1/README.md
@@ -0,0 +1,7 @@
+# Overview
+
+`web3` is a JavaScript API which connects to the Generic JSON RPC spec.
+
+This package are vulnerable to Insecure Credential Storage, the current implementation of `web3.js` could result in wallet decryption under certain circumstances. When a wallet is saved and encrypted into local storage, a private key is needed to load the wallet. However, this private key is available via/ LocalStorage and is readable in plaintext format on a webpage after a wallet is loaded.
+
+This implementation could be abused by an attacker through client-side attacks such as Cross-site Scripting and could result in the stealing of a user's wallet private key.
diff --git a/bounties/npm/web3.js/1/bounty.json b/bounties/npm/web3.js/1/bounty.json
@@ -0,0 +1,7 @@
+{
+	"ForkURL": "",
+	"Bounty": {
+		"Credit": 330,
+		"Cash": 25
+	}
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Overview

		`angular-redactor` is an angular directive for the Redactor editor, this package is vulnerable to Cross-site Scripting (XSS) attacks when HTML content mode is used.
Comment thread benharvie marked this conversation as resolved.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Overview

		`dns-sync` is a dns resolver implemented in Node.js, This package is vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Comment thread benharvie marked this conversation as resolved.