Headline
CVE-2023-2583: release extensions 3.11.3 · jsreport/jsreport@afaff38
Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.
2 changes: 1 addition & 1 deletion packages/browser-client/package.json
Expand Up
@@ -32,7 +32,7 @@
"devDependencies": {
"@jsreport/jsreport-authentication": "3.4.0",
"@jsreport/jsreport-chrome-pdf": "3.3.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-express": "3.7.1",
"@rollup/plugin-commonjs": "21.0.0",
"@rollup/plugin-node-resolve": "13.0.5",
Expand Down
2 changes: 1 addition & 1 deletion packages/compile/package.json
Expand Up
@@ -39,7 +39,7 @@
},
"devDependencies": {
"@jsreport/jsreport-cli": "3.2.3",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"fs-extra": "2.1.2",
"mocha": "3.2.0",
"should": "11.2.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-assets/package.json
Expand Up
@@ -41,7 +41,7 @@
"strip-bom-buf": “2.0.0”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-express": "3.7.1",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/jsreport-jsrender": "3.0.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-authentication/package.json
Expand Up
@@ -41,7 +41,7 @@
"password-hash": “1.2.2”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-express": "3.7.1",
"@jsreport/studio-dev": "3.2.1",
"express": "4.18.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-authorization/package.json
Expand Up
@@ -34,7 +34,7 @@
},
"devDependencies": {
"@jsreport/jsreport-authentication": "3.4.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-fs-store": "3.2.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "5.2.0",
Expand Down
4 changes: 2 additions & 2 deletions packages/jsreport-azure-storage/package.json
Expand Up
@@ -25,7 +25,7 @@
"@azure/storage-blob": “12.5.0”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"mocha": "8.3.2",
"should": "13.2.3",
"standard": “16.0.4”
Expand All
@@ -39,4 +39,4 @@
"node": true
}
}
}
}
2 changes: 1 addition & 1 deletion packages/jsreport-base/package.json
Expand Up
@@ -26,7 +26,7 @@
},
"dependencies": {},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"mocha": "5.1.1",
"should": "13.2.1",
"standard": “16.0.4”
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-browser-client/package.json
Expand Up
@@ -33,7 +33,7 @@
},
"devDependencies": {
"@jsreport/studio-dev": "3.2.1",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-express": "3.7.1",
"@jsreport/jsreport-handlebars": "3.2.1",
"mocha": "9.1.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-child-templates/package.json
Expand Up
@@ -30,7 +30,7 @@
"node.extend.without.arrays": “1.1.6”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/jsreport-jsrender": "3.0.0",
"handlebars": "4.7.7",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-chrome-pdf/package.json
Expand Up
@@ -31,7 +31,7 @@
"lodash.get": “4.4.2”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/studio-dev": "3.2.1",
"handlebars": "4.7.7",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-cli/package.json
Expand Up
@@ -71,7 +71,7 @@
},
"devDependencies": {
"@jsreport/jsreport-authentication": "3.4.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-express": "3.7.1",
"@jsreport/jsreport-fs-store": "3.2.4",
"@jsreport/jsreport-handlebars": "3.2.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-components/package.json
Expand Up
@@ -35,7 +35,7 @@
},
"devDependencies": {
"@jsreport/jsreport-assets": "3.6.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/jsreport-jsrender": "3.0.0",
"@jsreport/studio-dev": "3.2.1",
Expand Down
11 changes: 11 additions & 0 deletions packages/jsreport-core/README.md
Expand Up
@@ -282,6 +282,17 @@ jsreport.documentStore.collection(‘templates’)
## Changelog
### 3.11.4
- update unset-value to fix security issue
### 3.11.3
- update vm2 to fix security issue
- automatically disable full profiling after some time to avoid performance degradation
- improvements to full profile serialization (prevent blocking)
- fix profiles cleaning and calculate timeout in beforeRender
### 3.11.2
- add `options.onReqReady` to be able to receive the parsed req values
Expand Down
4 changes: 2 additions & 2 deletions packages/jsreport-core/package.json
@@ -1,6 +1,6 @@
{
"name": "@jsreport/jsreport-core",
"version": "3.11.2",
"version": "3.11.4",
"description": "javascript based business reporting",
"keywords": [
"report",
Expand Down Expand Up
@@ -69,7 +69,7 @@
"serializator": "1.0.2",
"stack-trace": "0.0.10",
"triple-beam": "1.3.0",
"unset-value": "1.0.0",
"unset-value": "2.0.1",
"uuid": "8.3.2",
"vm2": "3.9.17",
"winston": "3.8.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-data/package.json
Expand Up
@@ -29,7 +29,7 @@
},
"dependencies": {},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/studio-dev": "3.2.1",
"handlebars": "4.7.7",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-docker-workers/package.json
Expand Up
@@ -29,7 +29,7 @@
"devDependencies": {
"@jsreport/jsreport-authentication": "3.4.0",
"@jsreport/jsreport-chrome-pdf": "3.3.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-express": "3.7.1",
"@jsreport/jsreport-fs-store": "3.2.4",
"@jsreport/jsreport-handlebars": "3.2.1",
Expand Down
4 changes: 4 additions & 0 deletions packages/jsreport-docx/README.md
Expand Up
@@ -7,6 +7,10 @@ See the documentation https://jsreport.net/learn/docx
Changelog
3.7.1
- fix docx rendering with handlebars partials
3.7.0
- fix `template.docx.templateAsset` from payload not overwriting the `template.docx.templateAssetShortid`
Expand Down
4 changes: 2 additions & 2 deletions packages/jsreport-docx/package.json
@@ -1,6 +1,6 @@
{
"name": "@jsreport/jsreport-docx",
"version": "3.7.0",
"version": "3.7.1",
"description": "jsreport recipe rendering docx files",
"keywords": [
"jsreport",
Expand Down Expand Up
@@ -51,7 +51,7 @@
},
"devDependencies": {
"@jsreport/jsreport-assets": "3.6.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/studio-dev": "3.2.1",
"handlebars": "4.7.7",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-docxtemplater/package.json
Expand Up
@@ -38,7 +38,7 @@
},
"devDependencies": {
"@jsreport/jsreport-assets": "3.6.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "6.1.4",
"should": "13.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-ejs/package.json
Expand Up
@@ -34,7 +34,7 @@
"node.extend.without.arrays": “1.1.6”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "5.2.0",
"should": "13.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-electron-pdf/package.json
Expand Up
@@ -32,7 +32,7 @@
"stream-to-array": “2.3.0”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"in-publish": "2.0.1",
"mocha": "8.3.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-express/package.json
Expand Up
@@ -40,7 +40,7 @@
"yauzl": “2.10.0”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-jsrender": "3.0.0",
"@jsreport/jsreport-scripts": "3.4.1",
"@jsreport/studio-dev": "3.2.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-freeze/package.json
Expand Up
@@ -28,7 +28,7 @@
},
"dependencies": {},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "5.0.5",
"should": "13.2.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-fs-store/package.json
Expand Up
@@ -41,7 +41,7 @@
"socket.io": “4.5.4”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-express": "3.7.1",
"@jsreport/studio-dev": "3.2.1",
"del": "6.0.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-handlebars/package.json
Expand Up
@@ -24,7 +24,7 @@
"test": “mocha test --timeout=5000 && standard”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"handlebars": "4.7.7",
"mocha": "5.0.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-html-embedded-in-docx/package.json
Expand Up
@@ -30,7 +30,7 @@
"node.extend.without.arrays": “1.1.6”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "6.1.4",
"should": "13.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-html-to-text/package.json
Expand Up
@@ -34,7 +34,7 @@
"node.extend.without.arrays": “1.1.6”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "8.2.1",
"should": "13.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-html-to-xlsx/package.json
Expand Up
@@ -43,7 +43,7 @@
"phantom-page-eval": “2.0.1”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/studio-dev": "3.2.1",
"handlebars": "4.7.7",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-import-export/package.json
Expand Up
@@ -44,7 +44,7 @@
"@jsreport/jsreport-authentication": "3.4.0",
"@jsreport/jsreport-authorization": "3.3.0",
"@jsreport/jsreport-cli": "3.2.3",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-data": "3.1.0",
"@jsreport/jsreport-express": "3.7.1",
"@jsreport/jsreport-fs-store": "3.2.4",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-jsrender/package.json
Expand Up
@@ -25,7 +25,7 @@
"jsrender": “1.0.11”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"mocha": "5.0.1",
"should": "13.2.1",
"standard": “16.0.4”
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-licensing/package.json
Expand Up
@@ -29,7 +29,7 @@
"axios": “0.23.0”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "7.2.0",
"should": "13.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-localization/package.json
Expand Up
@@ -34,7 +34,7 @@
"devDependencies": {
"handlebars": "4.7.7",
"@jsreport/jsreport-assets": "3.6.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-components": "3.3.0",
"@jsreport/jsreport-child-templates": "3.1.0",
"@jsreport/jsreport-handlebars": "3.2.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-mongodb-store/package.json
Expand Up
@@ -26,7 +26,7 @@
"mongodb": “5.1.0”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"cross-env": "6.0.3",
"mocha": "5.2.0",
"should": "13.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-mssql-store/package.json
Expand Up
@@ -23,7 +23,7 @@
"semaphore-async-await": “1.5.1”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"mocha": "8.3.2",
"should": "13.2.3",
"standard": “16.0.4”
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-npm/package.json
Expand Up
@@ -27,7 +27,7 @@
"enhanced-resolve": “5.8.3”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"mocha": "9.0.3",
"moment": "2.29.4",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-office-password/package.json
Expand Up
@@ -40,7 +40,7 @@
"xlsx-populate": “1.21.0”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-html-to-xlsx": "3.3.1",
"@jsreport/studio-dev": "3.2.1",
"mocha": "7.0.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-oracle-store/package.json
Expand Up
@@ -21,7 +21,7 @@
"@jsreport/sql-store": “3.1.1”
},
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"mocha": "8.3.2",
"should": "13.2.3",
"standard": “16.0.4”
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-pdf-utils/package.json
Expand Up
@@ -45,7 +45,7 @@
"@jsreport/jsreport-assets": "3.6.0",
"@jsreport/jsreport-child-templates": "3.1.0",
"@jsreport/jsreport-chrome-pdf": "3.3.0",
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/jsreport-handlebars": "3.2.1",
"@jsreport/jsreport-jsrender": "3.0.0",
"@jsreport/jsreport-scripts": "3.4.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-phantom-image/package.json
Expand Up
@@ -35,7 +35,7 @@
},
"author": "Jan Blaha",
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "5.0.5",
"should": "13.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/jsreport-phantom-pdf/package.json
Expand Up
@@ -25,7 +25,7 @@
},
"author": "Jan Blaha",
"devDependencies": {
"@jsreport/jsreport-core": "3.11.2",
"@jsreport/jsreport-core": "3.11.4",
"@jsreport/studio-dev": "3.2.1",
"mocha": "5.2.0",
"phantomjs-exact-2-1-1": "0.1.0",
Expand Down
Related news
jsreport prior to 3.11.3 had a version of vm2 vulnerable to CVE-2023-29017 hard coded in the package.json of the jsreport-core component. An attacker can use this vulnerability to obtain the authority of the jsreport playground server, or construct a malicious webpage/html file and send it to the user to attack the installed jsreport client.