TLP: Clear - The repository of the DevGuard Web Project

👩‍💻 DevGuard Web

0.12.1 fix-api-url

0.12.3

0.13.2

0.14.2 add-page-prop-to-RiskAssessmentFeed

0.13.11 client-side-data-fetching

0.13.15

0.13.3

0.15.3

0.15.0

0.13.10 fix-asset-api-in-component-path

feature-delte-artifact

0.13.12 add-dynamic-github-app-url

0.14.3

0.14.1

0.13.6 main

0.13.4

0.15.2

0.13.0

0.13.7 fix-updated-pat

0.13.17

0.13.9

0.12.0 fix-dependencies-sorting

0.13.16

0.13.5

0.13.18

0.13.14 190-dependency-table-dialog-with-graph

add-devguard-api-url-to-autosetup

0.15.1 634--button-to-delete-an-organization

 TLP: Clear - Devguard GitLab CI/CD Components

🧩 DevGuard CI-Components

TLP: Clear - DevGuard GitHub Reusable Workflows

🧩 DevGuard Action

TLP: Clear - The documentation for the DevGuard Project

📚 DevGuard Documentation

TLP: Clear - The repository for the customized DevGuard Postgresql

🗄️ Devguard Postgresql

TLP: Clear - The main repository - contains the API, the devguard-scanner CLI and the Helm-Chart

💡 DevGuard

TLP: Clear - Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks - OWASP Incubating Project

🛡️ DevGuard

Robot User

Badge-API

Test Project 1

Lars Hermges

Patrick Rissmann

Sebastian Kawelke

Tim Bastin

David Luhmer

Refaei Shikho

Frédéric Noppe

timbastin

seb-kw

Frederic-Kenji

refoo0

L3montree Cybersecurity

Webhook which sends notification into our matrix chat

Matrix Error-Tracking

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Package	Max Risk	Max CVSS	Vulnerability Count	Installed Version	Action
next	LOW (3.8)	MEDIUM (6.5)	18	15.3.5	Update to version 15.4.7 to reduce total risk by 58.5
@babel/runtime	LOW (3.6)	MEDIUM (6.2)	3	7.22.5	Update to version 7.26.10 to reduce total risk by 10.9
prismjs	LOW (2.9)	MEDIUM (4.9)	8	1.27.0	Update to version 1.30.0 to reduce total risk by 22.8

🛡️ DevGuard
Group
/👩‍💻 DevGuard Web
Repository

Identified Risks