noise-suppression-1.0.0-beta.9.tgz: 1 vulnerabilities (highest severity is: 6.1) - autoclosed
Closed this issue · 1 comments
Vulnerable Library - noise-suppression-1.0.0-beta.9.tgz
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4
Oops, something went wrong. We couldn’t find a fix. Support token-de3013379a0444b592ba5013ad0d9f28
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (noise-suppression version) | Fix PR available |
---|---|---|---|---|---|---|
CVE-2023-49293 | Medium | 6.1 | vite-4.5.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-49293
Vulnerable Library - vite-4.5.0.tgz
Library home page: https://registry.npmjs.org/vite/-/vite-4.5.0.tgz
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Dependency Hierarchy:
- noise-suppression-1.0.0-beta.9.tgz (Root Library)
- ❌ vite-4.5.0.tgz (Vulnerable Library)
Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4
Found in base branch: main
Vulnerability Details
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml
, the original request URL is passed in unmodified, and the html
being transformed contains inline module scripts (<script type="module">...</script>
), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml
. Only apps using appType: 'custom'
and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Publish Date: 2023-12-04
URL: CVE-2023-49293
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-92r3-m2mg-pj97
Release Date: 2023-12-04
Fix Resolution: vite - 4.4.12,4.5.1,5.0.5
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.