apostrophe@2.76.0 vulnerabilities

The Apostrophe Content Management System.

  • latest version

    4.10.0

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    24 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the apostrophe package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which is triggered once the image module that an editor uploaded as SVG file which contains malicious JavaScript, is viewed.

    How to fix Cross-site Scripting (XSS)?

    Upgrade apostrophe to version 3.4.0 or higher.

    >=2.63.0 <3.4.0
    • H
    Insufficient Session Expiration

    apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

    Affected versions of this package are vulnerable to Insufficient Session Expiration which allows unauthenticated remote attackers to hijack recently logged-in users' sessions.

    Note: this only works if user switch locales after cutting.

    How to fix Insufficient Session Expiration?

    Upgrade apostrophe to version 3.4.0 or higher.

    >=2.63.0 <3.4.0
    • H
    Denial of Service (DoS)

    apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

    Affected versions of this package are vulnerable to Denial of Service (DoS). The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory.

    How to fix Denial of Service (DoS)?

    Upgrade apostrophe to version 2.97.1 or higher.

    <2.97.1
    • M
    Open Redirect

    apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

    Affected versions of this package are vulnerable to Open Redirect. It was possible to convince Apostrophe to redirect to a third-party website by appending an escaped URL with a trailing / added at the end.

    How to fix Open Redirect?

    Upgrade apostrophe to version 2.92.0 or higher.

    <2.92.0