Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
simpl-schema is vulnerable to prototype pollution.
Cure53 DOMPurify allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
A memory leak flaw was found in WildFly OpenSSL, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
A memory leak flaw was found in WildFly OpenSSL, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.
This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack.
In xmpp-http-upload, when the GET method is attacked, attackers can read files which have a .data suffix and which are accompanied by a JSON file with the .meta suffix. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of authentication or other limitations on the outbound (GET) traffic. For example, in a scenario where a single server has multiple instances of the application running (with …
An issue was discovered in Ruby WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
The socket.io-file package for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
In Electron the will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.
Electron is vulnerable to a context isolation bypass. Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nodeIntegrationInSubFrames: true are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
This affects the package hellojs. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).
In Shrine using Rack::Utils.secure_compare. Users using the derivation_endpoint plugin are urged to upgrade to Shrine or greater. A possible workaround is provided in the linked advisory.
This Prototype Pollution affects the package json-pointer. Multiple references of an object using a slash is supported.
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite, the OAuth Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared with a simple string match. This allows an attacker to register a client with allowed redirect URL.
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback adapter. Attackers can provide both custom URL query parameters to their loopback redirect URL and actually overriding the host of the registered redirect URL. These …
apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
In mapfish-print, an attacker can run an XML External Entity (XXE) attack with the provided SDL style.
In mapfish-print, an attacker can run an XML External Entity (XXE) attack with the provided SDL style.
In mapfish-print, an attacker can run an XML External Entity (XXE) attack with the provided SDL style.
Insufficient policy enforcement in WebView in Google Chrome on Android allowed a remote attacker to bypass site isolation via a crafted HTML page.
All versions of package safetydance are vulnerable to Prototype Pollution via the set function.
The package bmoor is vulnerable to Prototype Pollution via the set function.
In mapfish-print, a user can use the JSONP support to do a Cross-site scripting.
In mapfish-print, a user can use the JSONP support to do a Cross-site scripting.
In mapfish-print, a user can use the JSONP support to do a Cross-site scripting.
All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement, safeLoad().
If an application is making use of the deprecated kit protocol HALs as the communication channel to the target device an attacker can masquerade as a device and return malformed packets of arbitrary length which the protocol stack will write to the stack.
In Apache NiFi, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
npm packages loadyaml and electorn were removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: IP and IP-based geolocation home directory name local username The malicious packages have been removed from the npm registry and the leaked content removed from GitHub.
npm packages loadyaml and electorn were removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: IP and IP-based geolocation home directory name local username The malicious packages have been removed from the npm registry and the leaked content removed from GitHub.
Nette are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
As mitigation for CVE-2020-1945 Apache Ant changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately, the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
Pritunl allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return err However, if the username is valid, then login attempts, the server will start responding with err Invalid usernames will receive err indefinitely.
In Apache NiFi, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
In Apache NiFi, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However, intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.
In Apache NiFi, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).
In the @actions/core npm module, addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the set-env and add-path workflow commands in the near …
In Istio, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g., *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
This issue has been marked as a false positive.
Attackers can use public NetTest web service of Apache OpenMeetings to organize denial of service attack.
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary …
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary …
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
NATS nats.js, nats.ws, and nats.deno allow credential disclosure from a client to a server.
urllib3 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Nacos suffers from a flaw where users can access service details when unauthenticated. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in.
In Apache Tapestry, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.
An issue was discovered in HFish When a payload is inserted where the password is entered, XSS code is triggered when the administrator views the information.
A flaw was found in Django REST Framework When using the browseable API viewer. Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter, automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. + applies a MaxValueValidator with a a default limit_value of 1e50 to the form field used by NumberFilter instances. In addition, NumberFilter implements the new get_max_validator() which should …
In Tensorflow, the implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast Since the PyObject is a Python object, not a TensorFlow Tensor, the cast …
In Tensorflow, the implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast Since the PyObject is a Python object, not a TensorFlow Tensor, the cast …
In Tensorflow, the implementation of dlpack.to_dlpack can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast Since the PyObject is a Python object, not a TensorFlow Tensor, the cast …
A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed.
In TensorFlow Lite, models using segment sum can trigger a segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in an out-of-bounds-write to the output array.
In TensorFlow Lite, models using segment sum can trigger a segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in an out-of-bounds-write to the output array.
In TensorFlow Lite, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to segment_ids_data can alter output_index and then write to outside output_data buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced …
In tensorflow-lite, when determining the common dimension size of two tensors, TFLite uses a DCHECK which is no-op outside debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside bounds since the interpreter will wrongly assume that there is enough data in both …
In TensorFlow Lite, models using segment sum can trigger a segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in an out-of-bounds-write to the output array.
In TensorFlow Lite, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to segment_ids_data can alter output_index and then write to outside output_data buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced …
In TensorFlow Lite, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get …
In tensorflow-lite, when determining the common dimension size of two tensors, TFLite uses a DCHECK which is no-op outside debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside bounds since the interpreter will wrongly assume that there is enough data in both …
In TensorFlow Lite, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to segment_ids_data can alter output_index and then write to outside output_data buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced …
In tensorflow-lite, when determining the common dimension size of two tensors, TFLite uses a DCHECK which is no-op outside debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside bounds since the interpreter will wrongly assume that there is enough data in both …
In TensorFlow Lite, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get …
In TensorFlow Lite, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get …
The package ng-packagr is vulnerable to Command Injection via the styleIncludePaths option.
In Tensorflow, the tf.raw_ops.Switch operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is nullptr, hence we are binding a reference to …
In eager mode, TensorFlow does not set the session state. Hence, calling tf.raw_ops.GetSessionHandle or tf.raw_ops.GetSessionHandleV2 results in a null pointer dereference In linked snippet, in eager mode, ctx->session_state() returns nullptr. Since code immediately dereferences this, we get a segmentation fault.
In tensorflow-lite, a crafted TFLite model can force a node to have as input a tensor backed by a nullptr buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with nullptr. However, by changing the buffer index for a …
In Tensorflow, the tf.raw_ops.Switch operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is nullptr, hence we are binding a reference to …
In eager mode, TensorFlow does not set the session state. Hence, calling tf.raw_ops.GetSessionHandle or tf.raw_ops.GetSessionHandleV2 results in a null pointer dereference In linked snippet, in eager mode, ctx->session_state() returns nullptr. Since code immediately dereferences this, we get a segmentation fault.
In eager mode, TensorFlow does not set the session state. Hence, calling tf.raw_ops.GetSessionHandle or tf.raw_ops.GetSessionHandleV2 results in a null pointer dereference In linked snippet, in eager mode, ctx->session_state() returns nullptr. Since code immediately dereferences this, we get a segmentation fault.
In tensorflow-lite, a crafted TFLite model can force a node to have as input a tensor backed by a nullptr buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with nullptr. However, by changing the buffer index for a …
In tensorflow-lite, a crafted TFLite model can force a node to have as input a tensor backed by a nullptr buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with nullptr. However, by changing the buffer index for a …
In Tensorflow, the tf.raw_ops.Switch operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is nullptr, hence we are binding a reference to …
In Tensorflow, the SparseCountSparseOutput and RaggedCountSparseOutput implementations don't validate that the weights tensor has the same shape as the data. The check exists for DenseCountSparseOutput, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the …
In Tensorflow, the implementation of SparseFillEmptyRowsGrad uses a double indexing pattern. It is possible for reverse_index_map(i) to be an index outside bounds of grad_values, thus resulting in a heap buffer overflow.
In TensorFlow Lite, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation.
In tensorflow-lite, to mimic Python's indexing with negative values, TFLite uses ResolveAxis to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the DCHECK does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out-of-bounds which results in segfaults and/or data corruption.
In tensorflow-lite, to mimic Python's indexing with negative values, TFLite uses ResolveAxis to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the DCHECK does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out-of-bounds which results in segfaults and/or data corruption.
In Tensorflow, the SparseCountSparseOutput and RaggedCountSparseOutput implementations don't validate that the weights tensor has the same shape as the data. The check exists for DenseCountSparseOutput, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the …
In tensorflow-lite, to mimic Python's indexing with negative values, TFLite uses ResolveAxis to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the DCHECK does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out-of-bounds which results in segfaults and/or data corruption.
In Tensorflow, the implementation of SparseFillEmptyRowsGrad uses a double indexing pattern. It is possible for reverse_index_map(i) to be an index outside bounds of grad_values, thus resulting in a heap buffer overflow.
In Tensorflow, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has the same shape as the values one. The values in these tensors are always accessed in parallel. Thus, a shape mismatch can result in accesses outside the bounds of heap allocated buffers.
In Tensorflow, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has the same shape as the values one. The values in these tensors are always accessed in parallel. Thus, a shape mismatch can result in accesses outside the bounds of heap allocated buffers.
In Tensorflow, the data_splits argument of tf.raw_ops.StringNGrams lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after ee ff are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR.
In Tensorflow, the data_splits argument of tf.raw_ops.StringNGrams lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after ee ff are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR.
In TensorFlow Lite, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation.
In Tensorflow, the SparseCountSparseOutput and RaggedCountSparseOutput implementations don't validate that the weights tensor has the same shape as the data. The check exists for DenseCountSparseOutput, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the …
In Tensorflow, the implementation of SparseFillEmptyRowsGrad uses a double indexing pattern. It is possible for reverse_index_map(i) to be an index outside bounds of grad_values, thus resulting in a heap buffer overflow.
In Tensorflow, the data_splits argument of tf.raw_ops.StringNGrams lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after ee ff are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR.
In TensorFlow Lite, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation.
In Tensorflow, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has the same shape as the values one. The values in these tensors are always accessed in parallel. Thus, a shape mismatch can result in accesses outside the bounds of heap allocated buffers.
In Tensorflow, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverse_index_map_t and grad_values_t are accessed in a similar pattern, only reverse_index_map_t is validated to be of proper shape. Hence, malicious users can pass a bad grad_values_t to trigger an assertion failure in vec, causing denial of service in serving installations.
In Tensorflow, the RaggedCountSparseOutput implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the splits tensor generate a valid partitioning of the values tensor. Hence, the code is prone to heap buffer overflow. If split_values does not end with a value at least num_values then the while loop condition will trigger a read outside the bounds …
In Tensorflow, if a user passes an invalid argument to dlpack.to_dlpack the expected validations will cause variables to bind to nullptr while setting a status variable to the error condition. However, this status argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with -fsanitize=null.
If a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption.
In Tensorflow, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverse_index_map_t and grad_values_t are accessed in a similar pattern, only reverse_index_map_t is validated to be of proper shape. Hence, malicious users can pass a bad grad_values_t to trigger an assertion failure in vec, causing denial of service in serving installations.
In Tensorflow, by controlling the fill argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentation fault.
In Tensorflow, the RaggedCountSparseOutput implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the splits tensor generate a valid partitioning of the values tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A BatchedMap is equivalent to a vector where each element is a hashmap. However, if the first element of splits_values …
In Tensorflow, if a user passes a list of strings to dlpack.to_dlpack there is a memory leak following an expected validation failure. The issue occurs because the status argument during validation failures is not properly checked. Since each of the above methods can return an error status, the status value must be checked before continuing.
In Tensorflow, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has rank This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a CHECK assertion failure and a crash. This can be used …
In Tensorflow, the RaggedCountSparseOutput does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the splits tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure. Since BatchedMap is equivalent to a vector, it needs to have at least one element to not be nullptr. If user passes a splits tensor that is …
In Tensorflow, if a user passes a list of strings to dlpack.to_dlpack there is a memory leak following an expected validation failure. The issue occurs because the status argument during validation failures is not properly checked. Since each of the above methods can return an error status, the status value must be checked before continuing.
If a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption.
In Tensorflow, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has rank This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a CHECK assertion failure and a crash. This can be used …
In Tensorflow, the RaggedCountSparseOutput does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the splits tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure. Since BatchedMap is equivalent to a vector, it needs to have at least one element to not be nullptr. If user passes a splits tensor that is …
In Tensorflow, changing the TensorFlow's SavedModel protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using tensorflow-serving or other inference-as-a-service installments.
In Tensorflow, the RaggedCountSparseOutput implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the splits tensor generate a valid partitioning of the values tensor. Hence, the code is prone to heap buffer overflow. If split_values does not end with a value at least num_values then the while loop condition will trigger a read outside the bounds …
In Tensorflow, the RaggedCountSparseOutput implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the splits tensor generate a valid partitioning of the values tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A BatchedMap is equivalent to a vector where each element is a hashmap. However, if the first element of splits_values …
In Tensorflow, if a user passes an invalid argument to dlpack.to_dlpack the expected validations will cause variables to bind to nullptr while setting a status variable to the error condition. However, this status argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with -fsanitize=null.
If a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption.
In Tensorflow, by controlling the fill argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentation fault.
In Tensorflow, the SparseCountSparseOutput implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the indices tensor has rank This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a CHECK assertion failure and a crash. This can be used …
In Tensorflow, by controlling the fill argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentation fault.
In Tensorflow, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverse_index_map_t and grad_values_t are accessed in a similar pattern, only reverse_index_map_t is validated to be of proper shape. Hence, malicious users can pass a bad grad_values_t to trigger an assertion failure in vec, causing denial of service in serving installations.
In Tensorflow, the RaggedCountSparseOutput does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the splits tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure. Since BatchedMap is equivalent to a vector, it needs to have at least one element to not be nullptr. If user passes a splits tensor that is …
In Tensorflow, changing the TensorFlow's SavedModel protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using tensorflow-serving or other inference-as-a-service installments.
In Tensorflow, changing the TensorFlow's SavedModel protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using tensorflow-serving or other inference-as-a-service installments.
In Tensorflow, the RaggedCountSparseOutput implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the splits tensor generate a valid partitioning of the values tensor. Hence, the code is prone to heap buffer overflow. If split_values does not end with a value at least num_values then the while loop condition will trigger a read outside the bounds …
In Tensorflow, the RaggedCountSparseOutput implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the splits tensor generate a valid partitioning of the values tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A BatchedMap is equivalent to a vector where each element is a hashmap. However, if the first element of splits_values …
In Tensorflow, if a user passes a list of strings to dlpack.to_dlpack there is a memory leak following an expected validation failure. The issue occurs because the status argument during validation failures is not properly checked. Since each of the above methods can return an error status, the status value must be checked before continuing.
In Tensorflow, if a user passes an invalid argument to dlpack.to_dlpack the expected validations will cause variables to bind to nullptr while setting a status variable to the error condition. However, this status argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with -fsanitize=null.
In Tensorflow, the Shard API in TensorFlow expects the last argument to be a function taking two int64 arguments. However, there are several places in TensorFlow where a lambda taking int or int32 arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, …
In Tensorflow, the Shard API in TensorFlow expects the last argument to be a function taking two int64 arguments. However, there are several places in TensorFlow where a lambda taking int or int32 arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, …
In Tensorflow, the Shard API in TensorFlow expects the last argument to be a function taking two int64 arguments. However, there are several places in TensorFlow where a lambda taking int or int32 arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, …
vm/opcodes.c in JerryScript allows attackers to hijack the flow of control by controlling a register.
Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
lib/oauth/consumer.rb in the oauth-ruby gem for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go), when using private_key_jwt authentication the uniqueness of the jti value is not checked.
An XSS issue in Joplin desktop allows arbitrary code execution via a malicious HTML embed tag.
Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …
Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …
A sandbox bypass vulnerability in Jenkins Script Security Plug allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.
Impact RCE in Third Party Library Patches We recommend to update to the current version 6.3.1.1. You can get the update to 6.3.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-09-2020
Impact RCE in Third Party Library Patches We recommend to update to the current version 6.3.1.1. You can get the update to 6.3.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-09-2020
An information disclosure vulnerability was found in containers/podman When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
A flaw was discovered in all versions of Undertow before Undertow Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/core.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/platform.
An issue was discovered in the gon gem for Ruby. MultiJson does not honor the escape_mode parameter to escape fields as an XSS protection mechanism. To mitigate, json_dumper.rb in gon now applies XSS escaping by default without relying on MultiJson.
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Prototype pollution in json-bigint npm package may lead to a denial-of-service (DoS) attack.
Prototype pollution vulnerability in the TypeORM package may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.
Impact Mirador users less than v3.0.0 (alpha-rc) versions that have an unpatched jQuery. When adopters update jQuery they will find some of Mirador functionality to be broken. Patches Mirador adopters should update to v3.0.0, no updates exist for v2.x releases. Workarounds Yes, Mirador users could fork and create their own custom build of Mirador and make the bug fixes themselves. References https://github.com/advisories/GHSA-gxr4-xjj5-5px2 https://github.com/advisories/GHSA-jpcq-cgw6-v4j6 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/
A flaw was found in RESTEasy client. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
A flaw was found in RESTEasy client in all versions of RESTEasy up to Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in DotPlant2. In class Pay2PayPayment in payment/Pay2PayPayment.php, there is an XXE vulnerability in the checkResult function. The user input ($_POST['xml']) is used for simplexml_load_string without sanitization. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
A heap overflow in Sqreen PyMiniRacer (aka Python Mini Racer) allows remote attackers to potentially exploit heap corruption.
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s os package in the web application process in versions. It was thus possible for an authenticated user to list and access files, environment variables, and process information. In addition, it was possible to set environment …
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s os package in the web application process in versions. It was thus possible for an authenticated user to list and access files, environment variables, and process information. In addition, it was possible to set environment …
A Improper Access Control vulnerability in the configuration of salt of SUSE Linux Enterprise Module for SUSE Manager Server, SUSE Manager Proxy, SUSE Manager Retail Branch Server, SUSE Manager Server, SUSE Manager Server allows local users to escalate to root on every system managed by SUSE manager. On the managing node itself code can be executed as user salt, potentially allowing for escalation to root there. This issue affects: SUSE …
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration
In Apache Airflow, the origin parameter passed to endpoints like /trigger is vulnerable to XSS.
Jenkins Storable Configs Plugin does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job config.xml file's content.
Jenkins Storable Configs Plugin allows users with Job/Read permission to read arbitrary files on the Jenkins controller.
Jenkins Copy data to workspace Plugin does not limit which directories can be copied from the Jenkins controller to job workspaces, allowing attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.
Jenkins Perfecto Plugin executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller
Jenkins Selection tasks Plugin executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.
libraw has a null pointer dereference vulnerability in parse_tiff_if in src/metadata/tiff.cpp, which may result in context-dependent arbitrary code execution.
A missing permission check in Jenkins Perfecto Plugin allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.
A missing permission check in Jenkins MongoDB Plugin allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.
A missing permission check in Jenkins ElasTest Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
A missing permission check in Jenkins Blue Ocean Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL.
A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information.
Sylabs Singularity has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.
Sylabs Singularity has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.
Jenkins Health Advisor by CloudBees Plugin does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.
xmlquery lacks a check for whether a LoadURL response is in the XML format, which allows attackers to cause a denial of service (SIGSEGV) at xmlquery.(*Node).InnerText or possibly have unspecified other impact.
A content spoofing vulnerability was found in the openshift/console This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the inserted text is legitimate.
This advisory has been marked as False Positive as it impacts blueocean-git-pipeline.
The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS).
A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
Jenkins Locked Files Report Plugin does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Jenkins Validating String Parameter Plugin does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
Jenkins Custom Job Icon Plugin does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Jenkins Radiator View Plugin does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
Jenkins computer-queue-plugin Plugin does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Jenkins Coverage/Complexity Scatter Plot Plugin does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.
A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
Jenkins Description Column Plugin does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
Apache Atlas contain a XSS vulnerability. While saving search or rendering elements values are not sanitized correctly and because of that it triggers the XSS vulnerability.
Jenkins ClearCase Release Plugin does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Jenkins chosen-views-tabbar Plugin does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.
A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.
Jenkins ElasTest Plugin stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
A buffer overflow vulnerability in LibRaw LibRaw::GetNormalizedModel in src/metadata/normalize_model.cpp may lead to context-dependent arbitrary code execution.
A vulnerability was found in Keycloak where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
In Apache Syncope, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The message field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS …
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
Yii 2 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input.
A buffer overflow exists in the Brotli library where an attacker controlling the input length of a one-shot decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
An issue was discovered in LemonLDAP::NG when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI.
Impact Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view. Patches Fixed Workarounds Do not share Renovate logs with …
Versions of atompm are vulnerable to Unauthorized File Access. The package fails to sanitize relative paths in the URL for file downloads, allowing attackers to download arbitrary files from the system. Upgrade to or later.
All versions of untitled-model re vulnerable to SQL Injection. Query parameters are not properly sanitized allowing attackers to inject SQL statements and execute arbitrary SQL queries. No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of resquel are vulnerable to SQL Injection. Query parameters are not properly sanitized, allowing attackers to inject SQL statements and execute arbitrary SQL queries No fix is currently available. Consider using an alternative package until a fix is made available.
Relative Path Traversal in serve.
All versions of mergify are vulnerable to Prototype Pollution. The mergify() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative module as the package is deprecated.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1180.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1172.
A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.
All versions of commqnder contain malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.
All versions of commmander contain malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.
All versions of equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
of angluar-cli contains malicious code as a postinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed the package attempts to remove files and stop processes related to McAfee antivirus on macOS. Remove the package from your environment and verify whether files were deleted and if processes were stopped.
of blubird contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.
All versions of reuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
of epress contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.
All versions of test-module-a contain malicious code as a preinstall script. The package fetches all names of npm packages owned by the user and attempts to add another maintainer to every package as a means of package hijacking, ## Recommendation Remove the package from your system. If you own any packages that were compromised please contact npm security immediately at security@npmjs.com. Also enable 2FA for publishing to further secure packages …
All versions of electron-native-notify contain malicious code. The package was part of a targeted attack to steal cryptocurrency wallet seeds and upload them to a remote server, effectively giving attackers access to users wallets. ## Recommendation Remove the package from your environment and follow the recommendations by Komodo
All versions of shrugging-logging contain malicious code as a postinstall script. The package fetches all names of npm packages owned by the user and attempts to add another maintainer to every package as a means of package hijacking, ## Recommendation Remove the package from your system. If you own any packages that were compromised please contact npm security immediately at security@npmjs.com. Also enable 2FA for publishing to further secure packages …
A spoofing vulnerability manifests in Microsoft Xamarin.Forms due to the default settings on Android WebView, aka 'Xamarin.Forms Spoofing Vulnerability'.
Versions of bigint-money are vulnerable to an Incorrect Calculation. The package incorrectly rounded certain numbers, which could have drastic consequences due to its usage in financial systems.
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (–check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1172, CVE-2020-1180.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in grunt-radical.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wxchangba.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-location-update.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soletta-dev-app.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ng-ui-library.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in grunt-radic.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-datepicker-plus.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wizard-syncronizer.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in precode.js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in motiv.scss.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in entitlements.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in github-jquery-widgets.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in scroool.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in geoheat.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ember-power-timepicker.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in radic-util.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in node-red.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in serve.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in serve.
Cross-site scripting (XSS) vulnerability in Dojo Toolkit before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.
A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.
Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service. Recommendation Upgrade to version 4.13.1 or later
Versions of diagram-js-direct-editing are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser. Upgrade to or later.
Versions of diagram-js (f ) (f ) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript. If you are using diagram-js, upgrade to If you are using diagram-js, upgrade to
In Action View there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not …
Bitcoin Core and Bitcoin Knots allow remote denial of service via a flood of multiple transaction inv messages with random hashes, aka INVDoS. NOTE: this can also affect other cryptocurrencies, e.g., if they were forked from Bitcoin Core .
In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only workaround is to give SCRIPT right only to trusted users.
apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the jmxrmi entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when a user …
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
node-fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't …
Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …
Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …
Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …
Python TUF (The Update Framework) reference implementation it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed and newer.
The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite.
Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …
Versions of bin-links are vulnerable to a Symlink reference outside of node_modules. It is possible to create symlinks to files outside of thenode_modules folder through the bin field. This may allow attackers to access unauthorized files.
All versions of html-pdf-chrome is vulnerable to Server-Side Request Forgery (SSRF). The package executes HTTP requests if the parsed HTML contains external references to resources, such as <iframe src="http://localhost" height="800px" width="800px"></iframe>. This allows attackers to access resources through HTTP that are accessible to the server, including private resources in the hosting environment. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of ftp-srv is vulnerable to Server-Side Request Forgery (SSRF). The package fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to access any network resources available to the server, including private resources in the hosting environment. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
Versions of notevil are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload try{a[b];}catch(e){e.constructor.constructor('return proto.arguments.callee.proto.polluted=true')()} add the polluted property to Function.
Versions of papaparse are vulnerable to Regular Expression Denial of Service (ReDos). The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service. Upgrade to or later.
All versions of markdown are vulnerable to Regular Expression Denial of Service (ReDoS). The markdown.toHTML() function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of unflatten are vulnerable to prototype pollution. The function unflatten does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of sahmat are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of safe-object2 are vulnerable to prototype pollution. The settter() function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of reggae are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow a malicious to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.
Versions of klona prior to 1.1.1 are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype when cloning objects, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation Upgrade to version 1.1.1 or later.
All versions of getsetdeep are vulnerable to prototype pollution. The setDeep() function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of get-setter are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of flat-wrap are vulnerable to prototype pollution. The function unflatten does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.
All versions of deep-setter are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
Versions of vue-moment contain an Outdated Static Dependency. The package depends on moment and has it loaded statically instead of as a dependency that can be updated. It has moment@2.19.1 that contains a Regular Expression Denial of Service vulnerability.
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit f06b3e.
GNOME project libxml2 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of 1337qq-js contain malicious code. The package exfiltrates sensitive information through install scripts. It targets UNIX systems. The information exfiltrated includes: Environment variables Running processes /etc/hosts uname -a npmrc file Remove the package from your system and rotate any compromised credentials.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of sj-labc contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
All versions of cxct contain malicious code. The package finds and exfiltrates cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of parsel use an insecure key derivation function. The package runs keys of arbitrary lengths through one round of SHA256 hashing for key stretching. This allows for the use of keys of insufficient entropy with inappropriate key stretching. The package is deprecated and will not be updated. Consider using an alternative package.
All versions of parsel use an insecure cryptography algorithm. The package uses aes-256-cbc without integrity checks, which renders the ciphertext vulnerable to bit-flipping attacks. The package is deprecated and will not be updated. Consider using an alternative package.
Versions of type-graphql are vulnerable to Information Exposure. The package leaks the resolver source code in an error message. It is possible to force this error when no subscription topics are provided in the request. Upgrade to or later.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pitboss-ng.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in lighter-vm.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @hapi/hoek.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sandbox.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in veval.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in kerberos.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in traceroute.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in gnuplot.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in malicious-npm-package.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in plotter.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in giting.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @zhaoyao91/eval-in-vm.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in localeval.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in meta-git.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in mongodb-query-parser.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm-git-publish.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in next.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nextcloud-vue-collections.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @hapi/boom.
A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in markdown-it-katex.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in atlasboard-atlassian-package.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react.
All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf. ## Recommendation No fix is currently available. Consider using an alternative package …
All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. The package is deprecated and will not be updated. Consider using an alternative package.
Versions of bin-links are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This behavior is still allowed in local installations.
Bundler uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function. For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception: curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')" Recommendation …
Versions of @commercial/ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …
All versions of treekill are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation Upgrade to version 1.2.2 or later.
Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade to version 3.0.0-beta.17.8 or later
The package bestzip is vulnerable to Command Injection via the options param.
GNOME project libxml2 has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
libxml2 has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
All versions of express-laravel-passport are vulnerable to an Authentication Bypass. The package fails to properly validate JWTs, allowing attackers to send HTTP requests impersonating other users. Upgrade to or later.
Versions of bin-links are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to overwrite files that already exist. ## Recommendation
All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running. No fix is currently available. Consider using an alternative package until a fix is made available.
Versions of zencashjs may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses …
Versions of node-git-server are vulnerable to Unauthorized File Access. It is possible to access any git repository by using absolute paths, which may allow attackers to access private repositories. Upgrade to or later.
Versions of sails-mysql are vulnerable to SQL Injection. The sort keyword is not properly sanitized and may allow attackers to inject SQL statements and execute arbitrary SQL queries
The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems.
All versions of put are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js Upgrade your Node.js version or consider using an alternative package.
Versions of ibm_db prior to 2.6.0 are vulnerable to Sensitive Data Exposure. The package printed database credentials in plaintext in logs while in debug mode. Recommendation Upgrade to version 2.6.0 or later and ensure sensitive information was not logged.
Versions of showdown are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.
Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
Relative Path Traversal in swagger-injector.
Relative Path Traversal in file-static-server.
Relative Path Traversal in sapper.
Relative Path Traversal in restify-swagger-jsdoc.
Relative Path Traversal in ponse.
Relative Path Traversal in public.
Relative Path Traversal in f-serv.
Relative Path Traversal in zero.
Relative Path Traversal in bruteser.
Relative Path Traversal in @wturyn/swagger-injector.
All versions of sql-injection are vulnerable to Regular Expression Denial of Service. The package processes a request's body with regular expressions that may take exponentially longer to execute for large inputs. No fix is currently available. Consider using an alternative package until a fix is made available.
Versions of simple-markdown prior to 0.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). The SimpleMarkdown.defaultInlineParse() function has significantly degraded performance when parsing inline code blocks. Recommendation Upgrade to version 0.5.2 or later.
Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input. Recommendation Upgrade to version 0.7.0 or later.
All versions of subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed. ## Recommendation This package …
Affected versions of mithrilare vulnerable to prototype pollution. The function parseQueryString may allow a malicious user to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. A payload such as proto%5BtoString%5D=123 in the query string would change the toString() function to 123. If you are using mithril, upgrade to or later. If you are using mithril, upgrade to or …
Versions of lodash.mergewith are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.
Versions of lodash.mergewith are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.
Versions of lodash.merge are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.
Versions of lodash.merge are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.
Versions of lodash.defaultsdeep are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.
Versions of lodash.defaultsdeep are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.
Versions of @hapi/subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.
Versions of @commercial/subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.
Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of anarchy contain malicious code. The package ran rm - rf / as an install script. Remove the package from your environment.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of superhappyfuntime contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
All versions of maybemaliciouspackage contain malicious code. The package prints the system's SSH keys to the console as a postinstall script. ## Recommendation Remove the package from your environment. There are no further signs of compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
of load-from-cwd-or-npm contains malicious code. The malware breaks functionality of the purescript-installer package by injecting targeted code. ## Recommendation There is no indication of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of cage-js contains malicious code. The malware downloads and runs a script from a remote server as a postinstall script. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of comander contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of sj-tw-test-security contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
All versions of sdfjghlkfjdshlkjdhsfg contain malicious code. The package is essentially a worm that fetches all packages owned by the user, adds a script to self-replicate as a preinstall script and publishes a new version. ## Recommendation Remove the package from your environment and ensure all packages owned were not impacted.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of discord.js-user contain malicious code. The package uploads the user's Discord token to a remote server. Remove the package from your environment. Ensure any compromised tokens are invalidated.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of nodes.js contain malicious code. The package searches and installs globally thousands of packages based on keywords node, react, react-native, vue, angular and babel to fill the system's memory. Remove the package from your environment and validate what packages are installed.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of malicious-do-not-install contain malicious code. The package copies the contents of /etc/passwd and /etc/shadow to files in the local /tmp/ folder. Remove the package from your environment and rotate affected credentials.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of owl-orchard-apple-sunshine contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of only-test-not-install contain malicious code. The package deletes the folder ~/test from the system as a postinstall script. ## Recommendation Remove the package from your environment. There are no further signs of compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
of 8.9.4 contain malicious code as a preinstall script. The package reads the system's SSH keys but does not upload it to a remote server. Remove the package from your environment. There is no evidence of further compromise at the moment.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …