Skip to content

Issue Active/Inactive user management fix #64 #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sei-vsarvepalli merged 2 commits into from
Apr 17, 2026
Merged

Issue Active/Inactive user management fix #64 #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
02a521a
Issue Active/Inactive user management fix #64
sei-vsarvepalli Apr 17, 2026
61218b3
spelling error in clientlib
sei-vsarvepalli Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
# cveClient Changelog

## Version 1.0.25 — 2026-03-28
- Bug: Bug fix in `cveClientlib.js` where query params such {active: false} will not work due to weak coercion
- Updated `cveClientlib.js` to version 1.0.26, should support npm usage as well.

## Version 1.0.24 — 2026-03-28

- Security: Fixed XSS vulnerability — use `.text()` instead of `.html()` for CVE ID in modal title
- Security: Prevent plaintext API key storage and harden encryption key handling
- Security: Added prototype pollution protection to `queryParser` and removed sensitive logging
- Security: Fixed XSS vulnerability — use `.text()` instead of `.html()` for CVE ID in modal title CVE-2026-35466
- Security: Prevent plaintext API key storage and harden encryption key handling CVE-2026-35467
- Security: Added prototype pollution protection to `queryParser` and removed sensitive logging CVE-2026-35466
- Updated SweetAlert2 from 11.4.9 to 11.26.24
- Made schema references version-agnostic with automatic schema version detection
- Added ADP (Authorized Data Publisher) read and delete support
Expand Down
41 changes: 28 additions & 13 deletions cveClientlib.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,30 @@ class cveClient {
this.key = key;
this.url = url;
this.user_path = "/org/" + this.org + "/user/" + this.user;
this._version = "1.0.25";
this._version = "1.0.26";
}
/* Safely build query string */
_buildQuery(qvars) {
if (!qvars) return "";

const params = new URLSearchParams();

Object.entries(qvars).forEach(([key, val]) => {
/* Skip only null/undefined */
if (val == null) return;
/* Handle arrays (common in APIs) */
if (Array.isArray(val)) {
val.forEach(v => {
if (v != null) params.append(key, String(v));
});
return;
}

/* Normalize everything else */
params.append(key, String(val));
});

return params.toString();
}
/* PUT /cve/{id}/adp — the only ADP endpoint per CVE Services API spec
See https://cveawg.mitre.org/api-docs/ */
Expand Down Expand Up @@ -139,21 +162,13 @@ class cveClient {
if(!opts) {
opts = {method:'GET'};
}
if(qvars) {
var qstr = new URLSearchParams();
Object.keys(qvars).forEach(function(x) {
/* Remove empty values in query_string
strange issue #11 when changing user's information
see https://github.com/CERTCC/cveClient/issues/11
*/
if(qvars[x] != "")
qstr.append(x,qvars[x]);
});
url.search = qstr.toString();
const qs = this._buildQuery(qvars);
if (qs) {
url.search = qs;
}
if(!('headers' in opts))
opts.headers = {};
opts.headers = Object.assign({},opts.headers,
opts.headers = Object.assign({}, opts.headers || {},
{'CVE-API-KEY': this.key,
'CVE-API-ORG': this.org,
'CVE-API-USER': this.user });
Expand Down