potential security vulnerability

[ranjit-git]

@Bottelet
A potential security vulnerability has been disclosed for this repo .
Plz visit report url https://huntr.dev/bounties/5-other-Bottelet/DaybydayCRM/ to validate the bug .
This bug has been opened for long time

[ptaylor2]

Have these bugs been fixed. Running Ubuntu 20.x

npm audit fix --force

Run npm audit for details.
apps:/var/www/apps.professionalsoftwaredevelopment.com/projectmanager# npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/minimatch
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/rc/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/tar
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/mkdirp
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit Updating axios to 1.1.3, which is a SemVer major change.
npm WARN audit Updating laravel-mix to 6.0.49, which is a SemVer major change.

added 346 packages, removed 285 packages, changed 359 packages, and audited 1131 packages in 18s

86 packages are looking for funding
run npm fund for details

npm audit report

glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - GHSA-ww39-953v-wcq6
fix available via npm audit fix
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack 0.2.2 - 1.6.1
Depends on vulnerable versions of chokidar
node_modules/watchpack

loader-utils <=1.4.1
Severity: critical
Prototype pollution in webpack loader-utils - GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-hhq3-ff78-jv3g
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/loader-utils
resolve-url-loader 1.0.3 - 2.0.0 || 3.0.1 - 4.0.0-beta.2
Depends on vulnerable versions of loader-utils
node_modules/resolve-url-loader

minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - GHSA-f8q6-p94x-37v3
fix available via npm audit fix
node_modules/minimatch

minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via npm audit fix
node_modules/minimist
node_modules/rc/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp

tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - GHSA-r628-mhmh-qjhw
fix available via npm audit fix
node_modules/tar

9 vulnerabilities (1 moderate, 5 high, 3 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

npm audit report

glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - GHSA-ww39-953v-wcq6
fix available via npm audit fix
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack

4 high severity vulnerabilities

To address all issues, run:
npm audit fix