apostrophe 2.96.1 vulnerabilities

Known vulnerabilities in the apostrophe package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which is triggered once the image module that an editor uploaded as SVG file which contains malicious JavaScript, is viewed. How to fix Cross-site Scripting (XSS)? Upgrade `apostrophe` to version 3.4.0 or higher.	>=2.63.0 <3.4.0
H Insufficient Session Expiration apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerable to Insufficient Session Expiration which allows unauthenticated remote attackers to hijack recently logged-in users' sessions. Note: this only works if user switch locales after cutting. How to fix Insufficient Session Expiration? Upgrade `apostrophe` to version 3.4.0 or higher.	>=2.63.0 <3.4.0
H Denial of Service (DoS) apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerable to Denial of Service (DoS). The `apostrophe-jobs` module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory. How to fix Denial of Service (DoS)? Upgrade `apostrophe` to version 2.97.1 or higher.	<2.97.1

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which is triggered once the image module that an editor uploaded as SVG file which contains malicious JavaScript, is viewed.

How to fix Cross-site Scripting (XSS)?

Upgrade apostrophe to version 3.4.0 or higher.

>=2.63.0 <3.4.0

Insufficient Session Expiration

Affected versions of this package are vulnerable to Insufficient Session Expiration which allows unauthenticated remote attackers to hijack recently logged-in users' sessions.

Note: this only works if user switch locales after cutting.

How to fix Insufficient Session Expiration?

Upgrade apostrophe to version 3.4.0 or higher.

>=2.63.0 <3.4.0

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS). The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory.

How to fix Denial of Service (DoS)?

Upgrade apostrophe to version 2.97.1 or higher.

<2.97.1

apostrophe@2.96.1 vulnerabilities

The Apostrophe Content Management System.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?