📂 Vulnerable Library - terser-webpack-plugin-5.3.6.tgz
Terser plugin for webpack
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2023-28154 |
🟣 Critical |
9.3 |
Not Defined |
1.4000001% |
webpack-5.75.0.tgz |
Direct |
webpack - 5.76.0 |
✅ |
|
Details
🟣CVE-2023-28154
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
❌ webpack-5.75.0.tgz (Vulnerable Library)
-
terser-webpack-plugin-5.3.6.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpackbar-5.0.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
-
mini-css-extract-plugin-2.7.2.tgz (Root Library)
- ❌ webpack-5.75.0.tgz (Vulnerable Library)
Vulnerability Details
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Publish Date: Mar 13, 2023 12:00 AM
URL: CVE-2023-28154
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.4000001%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-hc6q-2mpp-qw7j
Release Date: Mar 13, 2023 12:00 AM
Fix Resolution : webpack - 5.76.0
📂 Vulnerable Library - terser-webpack-plugin-5.3.6.tgz
Terser plugin for webpack
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Findings
Details
🟣CVE-2023-28154
Vulnerable Library - webpack-5.75.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
❌ webpack-5.75.0.tgz (Vulnerable Library)
terser-webpack-plugin-5.3.6.tgz (Root Library)
webpackbar-5.0.2.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
mini-css-extract-plugin-2.7.2.tgz (Root Library)
Vulnerability Details
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Publish Date: Mar 13, 2023 12:00 AM
URL: CVE-2023-28154
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.4000001%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-hc6q-2mpp-qw7j
Release Date: Mar 13, 2023 12:00 AM
Fix Resolution : webpack - 5.76.0