Found Vulnerability ' Improper Input Validation ' and ' Prototype Pollution ' on Synk.io

Question

Found Vulnerability ' Improper Input Validation ' and ' Prototype Pollution ' on Synk.io

kanxoramesh opened this issue 3 years ago · 3 comments

BUG

Synk.io is reporting Vulnerability for this library, One of the dependence library saml@1.0.0 uses xmldom which has Vulnerability.
and also Arbitrary Code Injection from package ejs@3.1.6

Solution: update dependence library saml@1.0.0 to 1.0.1 which is using the latest version of xmldom@0.7.4 and also update ejs@2.5.5 to ejs@3.1.6

Answer 1 · 2022-04-28T03:55:17.000Z

Github Advisory: GHSA-phwq-j96m-2c2q

Answer 2 · 2022-06-30T16:45:32.000Z

SAML Was updated but there's still critical vulnerabilities in ejs@2.5.5 that would be corrected by updating to ejs@3.1.8

Answer 3 · 2022-07-21T20:32:45.000Z

Hi @aaronsegstro. I just submitted a PR bumping ejs to 3.1.8 here #130.