[Snyk] Upgrade react-native-screens from 3.10.2 to 3.31.1 #87

Summary

8 security issue(s)
- High : 5
- Medium : 0
- Low : 3

NShiftKey

Potential command injection

Description : Attacker could use eval() method to execute arbitrary code

Countermeasure : The eval() method that could be exploited by an attacker should not be used within the script or should be used, the context should be checked for security.

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/bootstrap/dom-event-handlers.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/bootstrap/dom-event-handlers.js

Lines 45 to 47 in decc254

var scriptClass = eval(scriptClassName);

if (!scriptClass) {

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 153 to 155 in decc254

    
           for (i = 0; i < names.length; i++) { 
        
               if (eval('!' + objName + '[' + getNames(i, '' + namesName + '') + ']')) { 
        
                   eval('' + objName + '[' + getNames(i, '' + namesName + '') + '] = {}');

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 154 to 156 in decc254

    
           if (eval('!' + objName + '[' + getNames(i, '' + namesName + '') + ']')) { 
        
               eval('' + objName + '[' + getNames(i, '' + namesName + '') + '] = {}'); 
        
           }

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 158 to 160 in decc254

    
           if ($.isEmptyObject(eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + ']'))) { 
        
               eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + '] = ' + xName + '.value');

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 159 to 161 in decc254

    
           if ($.isEmptyObject(eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + ']'))) { 
        
               eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + '] = ' + xName + '.value'); 
        
           }

Potential JS Security Warning (dangerouslySetInnerHTML)
- Description : Potentially exploitable by XSS
- Countermeasure : To prevent XSS attacks, do not use dangerouslySetInnerHTML to enable HTML tag rendering.
  - Target Code : abp/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js [view change history] [ignore this]
    https://github.com/2lambda123/abp/blob/decc2544db25193dfdc1c4eb1f04a93950b1c39c/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js#L17118-L17120
  - Target Code : abp/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js [view change history] [ignore this]
    https://github.com/2lambda123/abp/blob/decc2544db25193dfdc1c4eb1f04a93950b1c39c/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js#L17198-L17200

Information exposure

Description : If password is hardcoded in the source code, it can be leaked

Countermeasure : Do not hard-code important information in code, but encrypt and manage it in a safe place. For more information, see the link below: https://naver-security.github.io/nshiftkey-rule-guides/Password_Hardcoded_eng

Target Code : abp/npm/verdaccio-containers/publish-packages/entrypoint.sh [view change history] [ignore this]

abp/npm/verdaccio-containers/publish-packages/entrypoint.sh

Lines 13 to 15 in decc254


	curl -XPUT -H "Content-type: application/json" -d '{ "name": "volo", "password": "123456", "email": "[email protected]" }' 'verdaccio:4873/-/user/org.couchdb.user:your_username'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade react-native-screens from 3.10.2 to 3.31.1 #87

[Snyk] Upgrade react-native-screens from 3.10.2 to 3.31.1 #87

Summary

Details

NShiftKey

Potential command injection

Potential JS Security Warning (dangerouslySetInnerHTML)

Information exposure

Re-running checks...

	for (i = 0; i < names.length; i++) {
	if (eval('!' + objName + '[' + getNames(i, '' + namesName + '') + ']')) {
	eval('' + objName + '[' + getNames(i, '' + namesName + '') + '] = {}');


	if ($.isEmptyObject(eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + ']'))) {
	eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + '] = ' + xName + '.value');


	var scriptClass = eval(scriptClassName);
	if (!scriptClass) {

[Snyk] Upgrade react-native-screens from 3.10.2 to 3.31.1 #87

fix: upgrade react-native-screens from 3.10.2 to 3.31.1

[Snyk] Upgrade react-native-screens from 3.10.2 to 3.31.1 #87

Summary

Details

NShiftKey

Potential command injection

Potential JS Security Warning (dangerouslySetInnerHTML)

Information exposure

Re-running checks...