-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two dependencies have a potential security risk. #198
Comments
@outline4 I’d push back on your host and ask why those got flagged. I can’t find any CVEs (https://cve.mitre.org/) related to the libraries, along with anything in their changelogs or security advisories (https://github.com/tinify/tinify-php/security/advisories). And the files they reference both look pretty innocent: https://github.com/tinify/tinify-php/blob/master/test/integration.php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
After upgraing a site to craft 4 and imager-x, my hoster sent me a list of possible security risks.
.../vendor/ksubileau/color-thief-php/src/ColorThief/Image/Adapter/AbstractAdapter.php
Known exploit = [Fingerprint Match (fp)] [PHP Exploit [P2128]]
.../vendor/tinify/tinify/test/integration.php
Known exploit = [Fingerprint Match (fp)] [PHP RFI Exploit [P2060]]
Craft support told me to verify the dependencies and both files are related to imager-x:
spacecatninja/imager-x 4.1.9.1 requires ksubileau/color-thief-php (^1.3|^2.0)
spacecatninja/imager-x 4.1.9.1 requires tinify/tinify (>=1.1.1)
The first one is more severe than the second one.
I had to change passwords and he had to delete the files.
The site seems to be running fine.
Could you please look into this?
The text was updated successfully, but these errors were encountered: