Two dependencies have a potential security risk. #198
Comments
|
@outline4 I’d push back on your host and ask why those got flagged. I can’t find any CVEs (https://cve.mitre.org/) related to the libraries, along with anything in their changelogs or security advisories (https://github.com/tinify/tinify-php/security/advisories). And the files they reference both look pretty innocent: https://github.com/tinify/tinify-php/blob/master/test/integration.php |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
After upgraing a site to craft 4 and imager-x, my hoster sent me a list of possible security risks.
.../vendor/ksubileau/color-thief-php/src/ColorThief/Image/Adapter/AbstractAdapter.phpKnown exploit = [Fingerprint Match (fp)] [PHP Exploit [P2128]]
.../vendor/tinify/tinify/test/integration.phpKnown exploit = [Fingerprint Match (fp)] [PHP RFI Exploit [P2060]]
Craft support told me to verify the dependencies and both files are related to imager-x:
spacecatninja/imager-x 4.1.9.1 requires ksubileau/color-thief-php (^1.3|^2.0)spacecatninja/imager-x 4.1.9.1 requires tinify/tinify (>=1.1.1)The first one is more severe than the second one.
I had to change passwords and he had to delete the files.
The site seems to be running fine.
Could you please look into this?
The text was updated successfully, but these errors were encountered: