Bounty upload (10/08)

[benharvie]

NPM:

• angular-redactor - Validated: Mik317
• hexo-admin - Validated: Mik317
• jquery-confirm - Validated: Mik317
• node-dns-sync - Validated: Mik317 & mufeedvh
• squel - Validated: Mik317
• x-editable - Validated: Mik317

Packagist:

• xmlBundle - Validated: Mik317
• kcfinder - Validated: Mik317
• hotarucms - Validated: Mik317 & mufeedvh
• asymmetricrypt - Validated: Mik317

Pip:

• conferencescheduler-cli - Validated: Mik317
• definitions - Validated: Mik317

Removed due to being invalid:

• node-krb5: Issues with PoC, C++ is currently an unsupported codebase anyway
• php-proxy-app: Fixed
• angular-froala: Fixed
• insight-api: Environment issue, not development issue
• ruby_ecdsa: Fixed
• centreon: Fixed
• django-make-app: Fixed
• web3.js - Creating individual PR for this bounty until new schema updates have been pushed out

[Mik317]

I wasn't able to validate all the disclosures:
many of them are valid 😄 while some other ain't.

There are some disclosure I wasn't able to verify due to problems in running the software/module/tool which weren't enough documented to overcome 'em, like in web-debug (returned a strange error on prototype ...).

In those cases, I watched at the opened PR/issues and the date of the latest commits/version , which helped a lot in understanding if defensive measures have been implemented after the original reporter had shown the issue 😄

Cheers,
Mik

[benharvie]

Thanks for the verification & comments there @Mik317 - I've added these to the Pull Request comment as a reference and will make changes today as per your recommendations.

Much appreciated,
Ben ❤️

[Mik317]

Froala has been patched (checked directly on the latest version) removing events and unsafe tags.
Redactor3 is vulnerable (website with editor still has a XSS issue)

Cheers,
Mik

[benharvie]

Thanks again for your input this week again @Mik317 and @mufeedvh, you've been a great help 👍🏼