Hello,
We did a light weight scan of the Guacamole system 1.3.0 and 1.4.0
This is the results we got. My question is are you aware and is it
documented for remediation ?
6.8
CVE-2018-16487
A prototype pollution vulnerability was found in lodash <4.17.11 where the
functions merge, mergeWith, and defaultsDeep can be tricked into adding or
modifying properties of Object.prototype.
N/A
Lodash 4.17.10
6.5
CVE-2021-23337
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the
template function.
N/A
Lodash 4.17.10
6.4
CVE-2019-10744
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying
properties of Object.prototype using a constructor payload.
N/A
Lodash 4.17.10
5.8
CVE-2020-8203
Prototype pollution attack when using _.zipObjectDeep in lodash before
4.17.20.
N/A
Lodash 4.17.10
5
CVE-2020-28500
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial
of Service (ReDoS) via the toNumber, trim and trimEnd functions.
N/A
Lodash 4.17.10
4.3
CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products,
mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution. If an unsanitized source object contained an enumerable __proto__
property, it could extend the native Object.prototype.
N/A
jQuery 3.3.1
4.3
CVE-2020-11022
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing
HTML from untrusted sources - even after sanitizing it - to one of jQuery's
DOM manipulation methods (i.e. .html(), .append(), and others) may execute
untrusted code. This problem is patched in jQuery 3.5.0.
N/A
jQuery 3.3.1
4.3
CVE-2020-11023
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing
HTML containing <option> elements from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
.append(), and others) may execute untrusted code. This problem is patched
in jQuery 3.5.0.
Thank You
Sean Hulbert
