Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-2583: release extensions 3.11.3 · jsreport/jsreport@afaff38

Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.

CVE
#sql#ios#nodejs#js#git#java#oracle#pdf#auth#mongo#docker#chrome

2 changes: 1 addition & 1 deletion packages/browser-client/package.json

Expand Up

@@ -32,7 +32,7 @@

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-chrome-pdf": "3.3.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@rollup/plugin-commonjs": "21.0.0",

"@rollup/plugin-node-resolve": "13.0.5",

Expand Down

2 changes: 1 addition & 1 deletion packages/compile/package.json

Expand Up

@@ -39,7 +39,7 @@

},

"devDependencies": {

"@jsreport/jsreport-cli": "3.2.3",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"fs-extra": "2.1.2",

"mocha": "3.2.0",

"should": "11.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-assets/package.json

Expand Up

@@ -41,7 +41,7 @@

"strip-bom-buf": “2.0.0”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-authentication/package.json

Expand Up

@@ -41,7 +41,7 @@

"password-hash": “1.2.2”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/studio-dev": "3.2.1",

"express": "4.18.2",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-authorization/package.json

Expand Up

@@ -34,7 +34,7 @@

},

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-fs-store": "3.2.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.2.0",

Expand Down

4 changes: 2 additions & 2 deletions packages/jsreport-azure-storage/package.json

Expand Up

@@ -25,7 +25,7 @@

"@azure/storage-blob": “12.5.0”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "8.3.2",

"should": "13.2.3",

"standard": “16.0.4”

Expand All

@@ -39,4 +39,4 @@

"node": true

}

}

}

}

2 changes: 1 addition & 1 deletion packages/jsreport-base/package.json

Expand Up

@@ -26,7 +26,7 @@

},

"dependencies": {},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "5.1.1",

"should": "13.2.1",

"standard": “16.0.4”

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-browser-client/package.json

Expand Up

@@ -33,7 +33,7 @@

},

"devDependencies": {

"@jsreport/studio-dev": "3.2.1",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-handlebars": "3.2.1",

"mocha": "9.1.2",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-child-templates/package.json

Expand Up

@@ -30,7 +30,7 @@

"node.extend.without.arrays": “1.1.6”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-chrome-pdf/package.json

Expand Up

@@ -31,7 +31,7 @@

"lodash.get": “4.4.2”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-cli/package.json

Expand Up

@@ -71,7 +71,7 @@

},

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-fs-store": "3.2.4",

"@jsreport/jsreport-handlebars": "3.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-components/package.json

Expand Up

@@ -35,7 +35,7 @@

},

"devDependencies": {

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

"@jsreport/studio-dev": "3.2.1",

Expand Down

11 changes: 11 additions & 0 deletions packages/jsreport-core/README.md

Expand Up

@@ -282,6 +282,17 @@ jsreport.documentStore.collection(‘templates’)

## Changelog

### 3.11.4

- update unset-value to fix security issue

### 3.11.3

- update vm2 to fix security issue

- automatically disable full profiling after some time to avoid performance degradation

- improvements to full profile serialization (prevent blocking)

- fix profiles cleaning and calculate timeout in beforeRender

### 3.11.2

- add `options.onReqReady` to be able to receive the parsed req values

Expand Down

4 changes: 2 additions & 2 deletions packages/jsreport-core/package.json

@@ -1,6 +1,6 @@

{

"name": "@jsreport/jsreport-core",

"version": "3.11.2",

"version": "3.11.4",

"description": "javascript based business reporting",

"keywords": [

"report",

Expand Down Expand Up

@@ -69,7 +69,7 @@

"serializator": "1.0.2",

"stack-trace": "0.0.10",

"triple-beam": "1.3.0",

"unset-value": "1.0.0",

"unset-value": "2.0.1",

"uuid": "8.3.2",

"vm2": "3.9.17",

"winston": "3.8.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-data/package.json

Expand Up

@@ -29,7 +29,7 @@

},

"dependencies": {},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-docker-workers/package.json

Expand Up

@@ -29,7 +29,7 @@

"devDependencies": {

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-chrome-pdf": "3.3.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-fs-store": "3.2.4",

"@jsreport/jsreport-handlebars": "3.2.1",

Expand Down

4 changes: 4 additions & 0 deletions packages/jsreport-docx/README.md

Expand Up

@@ -7,6 +7,10 @@ See the documentation https://jsreport.net/learn/docx

Changelog

3.7.1

- fix docx rendering with handlebars partials

3.7.0

- fix `template.docx.templateAsset` from payload not overwriting the `template.docx.templateAssetShortid`

Expand Down

4 changes: 2 additions & 2 deletions packages/jsreport-docx/package.json

@@ -1,6 +1,6 @@

{

"name": "@jsreport/jsreport-docx",

"version": "3.7.0",

"version": "3.7.1",

"description": "jsreport recipe rendering docx files",

"keywords": [

"jsreport",

Expand Down Expand Up

@@ -51,7 +51,7 @@

},

"devDependencies": {

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-docxtemplater/package.json

Expand Up

@@ -38,7 +38,7 @@

},

"devDependencies": {

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "6.1.4",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-ejs/package.json

Expand Up

@@ -34,7 +34,7 @@

"node.extend.without.arrays": “1.1.6”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.2.0",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-electron-pdf/package.json

Expand Up

@@ -32,7 +32,7 @@

"stream-to-array": “2.3.0”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"in-publish": "2.0.1",

"mocha": "8.3.2",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-express/package.json

Expand Up

@@ -40,7 +40,7 @@

"yauzl": “2.10.0”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-jsrender": "3.0.0",

"@jsreport/jsreport-scripts": "3.4.1",

"@jsreport/studio-dev": "3.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-freeze/package.json

Expand Up

@@ -28,7 +28,7 @@

},

"dependencies": {},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.0.5",

"should": "13.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-fs-store/package.json

Expand Up

@@ -41,7 +41,7 @@

"socket.io": “4.5.4”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/studio-dev": "3.2.1",

"del": "6.0.0",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-handlebars/package.json

Expand Up

@@ -24,7 +24,7 @@

"test": “mocha test --timeout=5000 && standard”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

"mocha": "5.0.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-html-embedded-in-docx/package.json

Expand Up

@@ -30,7 +30,7 @@

"node.extend.without.arrays": “1.1.6”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "6.1.4",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-html-to-text/package.json

Expand Up

@@ -34,7 +34,7 @@

"node.extend.without.arrays": “1.1.6”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "8.2.1",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-html-to-xlsx/package.json

Expand Up

@@ -43,7 +43,7 @@

"phantom-page-eval": “2.0.1”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/studio-dev": "3.2.1",

"handlebars": "4.7.7",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-import-export/package.json

Expand Up

@@ -44,7 +44,7 @@

"@jsreport/jsreport-authentication": "3.4.0",

"@jsreport/jsreport-authorization": "3.3.0",

"@jsreport/jsreport-cli": "3.2.3",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-data": "3.1.0",

"@jsreport/jsreport-express": "3.7.1",

"@jsreport/jsreport-fs-store": "3.2.4",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-jsrender/package.json

Expand Up

@@ -25,7 +25,7 @@

"jsrender": “1.0.11”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "5.0.1",

"should": "13.2.1",

"standard": “16.0.4”

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-licensing/package.json

Expand Up

@@ -29,7 +29,7 @@

"axios": “0.23.0”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "7.2.0",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-localization/package.json

Expand Up

@@ -34,7 +34,7 @@

"devDependencies": {

"handlebars": "4.7.7",

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-components": "3.3.0",

"@jsreport/jsreport-child-templates": "3.1.0",

"@jsreport/jsreport-handlebars": "3.2.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-mongodb-store/package.json

Expand Up

@@ -26,7 +26,7 @@

"mongodb": “5.1.0”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"cross-env": "6.0.3",

"mocha": "5.2.0",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-mssql-store/package.json

Expand Up

@@ -23,7 +23,7 @@

"semaphore-async-await": “1.5.1”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "8.3.2",

"should": "13.2.3",

"standard": “16.0.4”

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-npm/package.json

Expand Up

@@ -27,7 +27,7 @@

"enhanced-resolve": “5.8.3”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"mocha": "9.0.3",

"moment": "2.29.4",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-office-password/package.json

Expand Up

@@ -40,7 +40,7 @@

"xlsx-populate": “1.21.0”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-html-to-xlsx": "3.3.1",

"@jsreport/studio-dev": "3.2.1",

"mocha": "7.0.0",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-oracle-store/package.json

Expand Up

@@ -21,7 +21,7 @@

"@jsreport/sql-store": “3.1.1”

},

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"mocha": "8.3.2",

"should": "13.2.3",

"standard": “16.0.4”

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-pdf-utils/package.json

Expand Up

@@ -45,7 +45,7 @@

"@jsreport/jsreport-assets": "3.6.0",

"@jsreport/jsreport-child-templates": "3.1.0",

"@jsreport/jsreport-chrome-pdf": "3.3.0",

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/jsreport-handlebars": "3.2.1",

"@jsreport/jsreport-jsrender": "3.0.0",

"@jsreport/jsreport-scripts": "3.4.1",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-phantom-image/package.json

Expand Up

@@ -35,7 +35,7 @@

},

"author": "Jan Blaha",

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.0.5",

"should": "13.2.3",

Expand Down

2 changes: 1 addition & 1 deletion packages/jsreport-phantom-pdf/package.json

Expand Up

@@ -25,7 +25,7 @@

},

"author": "Jan Blaha",

"devDependencies": {

"@jsreport/jsreport-core": "3.11.2",

"@jsreport/jsreport-core": "3.11.4",

"@jsreport/studio-dev": "3.2.1",

"mocha": "5.2.0",

"phantomjs-exact-2-1-1": "0.1.0",

Expand Down

Related news

GHSA-g7rj-q722-245g: jsreport vulnerable to code injection

jsreport prior to 3.11.3 had a version of vm2 vulnerable to CVE-2023-29017 hard coded in the package.json of the jsreport-core component. An attacker can use this vulnerability to obtain the authority of the jsreport playground server, or construct a malicious webpage/html file and send it to the user to attack the installed jsreport client.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907