📂 Vulnerable Library - component-compiler-utils-3.3.0.tgz
Lower level utilities for compiling Vue single file components
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2023-44270 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
postcss-7.0.39.tgz |
Transitive |
N/A |
❌ |
 Reachable |
Details
🟠CVE-2023-44270
Vulnerable Library - postcss-7.0.39.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.39.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
component-compiler-utils-3.3.0.tgz (Root Library)
- ❌ postcss-7.0.39.tgz (Vulnerable Library)
-
component-compiler-utils-2.6.0.tgz (Root Library)
- ❌ postcss-7.0.39.tgz (Vulnerable Library)
-
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
- cssnano-4.1.11.tgz
- ❌ postcss-7.0.39.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- administration-1.0.0/webpack.config.js (Application)
- optimize-css-assets-webpack-plugin-5.0.8/src/index.js (Extension)
- cssnano-4.1.11/dist/index.js (Extension)
- postcss-7.0.39/lib/postcss.js (Extension)
- postcss-7.0.39/lib/parse.js (Extension)
- postcss-7.0.39/lib/parser.js (Extension)
-> ❌ postcss-7.0.39/lib/tokenize.js (Vulnerable Component)
Vulnerability Details
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: Sep 29, 2023 12:00 AM
URL: CVE-2023-44270
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-7fh5-64p2-3v2j
Release Date: Sep 29, 2023 12:00 AM
Fix Resolution : postcss - 8.4.31
📂 Vulnerable Library - component-compiler-utils-3.3.0.tgz
Lower level utilities for compiling Vue single file components
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
Details
🟠CVE-2023-44270
Vulnerable Library - postcss-7.0.39.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.39.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
component-compiler-utils-3.3.0.tgz (Root Library)
component-compiler-utils-2.6.0.tgz (Root Library)
optimize-css-assets-webpack-plugin-5.0.8.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: Sep 29, 2023 12:00 AM
URL: CVE-2023-44270
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-7fh5-64p2-3v2j
Release Date: Sep 29, 2023 12:00 AM
Fix Resolution : postcss - 8.4.31