All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of maleficent contain malicious code. The package is a demonstration of possible risks when installing npm packages. It gathers system information such as: environment variables, OS information, network interface, AWS credentials, npm credentials and ssh keys. The package prints the information to a local file but does not upload it to a remote server. Remove the package from your environment. There is no further compromise.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of sj-tw-sec contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of my-very-own-package contain malicious code. The package sends the output of process.versions, process.arch and process.platform to a remote server in a postinstall script. Remove the package from your environment. There are no further signs of compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of sj-tw-abc contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of arsenic-tabasco-cyborg-peanut-butter contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of deasyncp contain malicious code. The package shuts down the machine upon installation as a preinstall script. Remove the package from your environment. There is no further compromise.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
of rate-map contains malicious code. The malware breaks functionality of the purescript-installer package by rewriting code of the dl-tar dependency. ## Recommendation There is no indication of further compromise.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
of pizza-pasta contains malicious code as a install scripts. The package created folders in the system's Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console. Remove the package from your environment. There are no evidences of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of fast-requests contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
of harmlesspackage contains malicious code as a postinstall script. The package printed a message to the console and performed a GET request to a remote server. Remove the package from your environment. There is no evidence of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.
All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …
of leetlog contain malicious code. The package adds an arbitrary hardcoded SSH key identified as hacker@evilmachine to the system's authorized_keys ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …
Affected versions of airtable are vulnerable to Machine-In-The-Middle. The package has SSL certificate validation disabled by default unintentionally. This may allow attackers in a privileged network position to decrypt intercepted traffic.
All versions of domokeeper are vulnerable to Local File Inclusion. The /plugin/ route passes a GET parameter unsanitized to a require() call. It then returns the output of require() in the server response. This may allow attackers to load unintended code in the application. It also allows attackers to exfiltrate information in .json files. No fix is currently available. Consider using an alternative package until a fix is made available.
The package grunt is vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.`
Versions of simple-crypto-js use AES-CBC with PKCS#7 padding, which is vulnerable to padding oracle attacks. This may allow attackers to break the encryption and access sensitive data.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in local-devices.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in secure_identity_login_module.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bmap.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cal_rd.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sailclothjs.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in qingting.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-node.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in priest-runner.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in mx-nested-menu.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in notevil.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uploader-plugin.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pullit.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cicada-render.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @fangrong/xoc.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in zemen.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tiar.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-wifi.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safer-eval.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in iie-viz.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in libubx.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in json-serializer.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in diamond-clien.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ember_cli_babe.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rpc-websocket.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hsf-clients.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in alipayjsapi.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-pica.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in alico.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-buc.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in smartsearchwp.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ali-contributors.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in marsdb.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safe-eval.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in device-mqtt.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-context-menu.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pyramid-proportion.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-port.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in leaflet-gpx.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in river-mock.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-md.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uglyfi.js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in luna-mock.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in log-symboles.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jquery-airload.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-rules.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in appx-compiler.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pm-controls.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jekyll-for-github-projects.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in slush-fullstack-framework.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in antd-cloud.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in midway-xtpl.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in m-backdoor.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yeoman-genrator.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ali-contributor.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in retcodelog.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in midway-dataproxy.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in radicjs.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hpmm.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pensi-scheduler.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bb-builder.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vue-backbone.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in hexo-admin.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @toast-ui/editor.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in htmr.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dmn-js-properties-panel.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in snekserve.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in graylog-web-interface.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in takeapeek.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @ionic/core.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cmmn-js-properties-panel.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bleach.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bpmn-js-properties-panel.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dompurify.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bootstrap-select.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @berslucas/liljs.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in console-feed.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jquery.json-viewer.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in eco.
Improper Neutralization in @hapi/accept.
Improper Neutralization in subtext.
Improper Neutralization in @commercial/subtext.
Improper Neutralization in subtext.
Improper Neutralization in @hapi/subtext.
Improper Neutralization in @hapi/subtext.
Improper Neutralization in @commercial/subtext.
All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. No fix is currently available. Consider using an alternative module until a fix is made available.
Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt() function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT. Upgrade to or later.
All versions of marky-markdown are vulnerable to HTML Injection. The package fails to sanitize style attributes in img tags of the markdown input. This may allow attackers to affect the size of images in the rendered HTML. ## Recommendation This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown
All versions of marky-markdown are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is youtube.com but it is possible to bypass the validation with sources where youtube.com is the sub-domain, such as youtube.com.evil.co. This This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown
Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. The following proof-of-concept crashes the Node process: const Sequelize = require('sequelize'); const sequelize …
Versions of mongodb are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Upgrade to or later.
Versions of http-live-simulator prior to 1.0.8 are vulnerable to Denial of Service. The package fails to catch an exception that causes the Node process to crash, effectively shutting down the server. This allows an attacker to send an HTTP request that crashes the server. Recommendation Upgrade to version 1.0.8 or later.
All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services. Recommendation This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.
Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Recommendation Upgrade to version 4.4.5 or later.
Versions of grpc-ts-health-check are vulnerable to Denial of Service. The package exposes an API endpoint that may allow attackers to set the service's health status to failing. This can lead to Denial of Service as Kubernetes blocks traffic to services with a failing status. Upgrade to or later.
Versions of express-fileupload prior to 1.1.6-alpha.6 is vulnerable to Denial of Service. The package causes server responses to be delayed (up to 30s in internal testing) if the request contains a large filename of . characters.
Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory. Recommendation Upgrade to version 2.97.1 or later.
All versions of ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an …
Versions of @hapi/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.
Versions of @hapi/ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …
Affected versions of @commercial/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.
All versions of mavon-editor are vulnerable to Cross-Site Scripting. The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. No fix is currently available. Consider using an alternative package until a fix is made available.
Versions of markdown-to-jsx are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload. Upgrade to or later.
Versions of lazysizes prior to 5.2.1-rc1 are vulnerable to Cross-Site Scripting. The video-embed plugin fails to sanitize the following attributes: data-vimeo, data-vimeoparams, data-youtube and data-ytparams. This allows attackers to execute arbitrary JavaScript in a victim's browser if the attacker has control over the vulnerable attributes. Recommendation Upgrade to version 5.2.1-rc1 or later.
The Advanced Reports module for SilverStripe is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. This affects admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item (report preview) when an SVG document is provided in the Description parameter.
Versions of helmet-csp before to are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting. Upgrade to or later. Setting the browserSniff configuration to false in vulnerable versions also mitigates the issue.
All versions of expressfs are vulnerable to Command Injection. expressfs.cp, expressfs.create and expressfs.rmdir. No fix is currently available. Consider using an alternative module until a fix is made available.
Versions of addax are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary commands in the system. Upgrade to or later.
Affected versions of node-weakauras-parser are vulnerable to a Buffer Overflow. The encode_weakaura function fails to properly validate the input size. A buffer of bytes causes an overflow on systems. Upgrade to or later.
Versions of graphql-shield are vulnerable to an Authorization Bypass. The rule caching option no_cache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision.
Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely. Recommendation Upgrade to version 2.0.5 or later.
Versions of otpauth are vulnerable to Authentication Bypass. The package's totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.
Object lifetime issue in Blink in Google Chrome allowed a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.
Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, an .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
Versions of glance prior to 3.0.7 are vulnerable to Unauthorized File Access. The package provides a –nodot option meant to hide files and directories with names that begin with a ., such as .git but fails to hide files inside a folder that begins with .. Recommendation Upgrade to version 3.0.7 or later.
All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. No fix is currently available. Consider using an alternative module until a fix is made available.
Versions of loopback (3.x) (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. If you're using loopback upgrade to or later. If you're using loopback upgrade to or later.
All versions of smart-extend are vulnerable to Prototype Pollution. The deep() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.
All versions of jajajejejiji typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of erquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requets typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of discord_debug_log contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
All versions of eact typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asinc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reqquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
The package destroyer-of-worlds contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX systems. Remove the package from your environment and perform additional incident response on your system's files and processes.
All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of rrgod are considered malicious. The package is malware designed to run arbitrary scripts. When installed, the package downloads an arbitrary file and executes its contents as a pre, post and install scripts. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response …
All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asycn typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of portionfatty12 are considered malicious. The package is malware designed to steal user's data. When installed it uploads the user's public SSH keys to a remote server. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response (such as rotating all credentials found …
All versions of asyync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reqest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asymc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of rrequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of carloprojectdiscord contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
All versions of requesst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of calk typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of commnader typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of momen typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requset typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
of font-scrubber contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should …
All versions of whiteproject contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
The package donotinstallthis contained malicious code. The package contained a script that was run as part of the install script. The script contacted a remote service tracking how many installations were done. There is no further compromise. Remove the package from your environment.
All versions of asnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of experss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asnyc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of chak typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of exprss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of aysnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requeest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reques typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requestt typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of carloprojectlesang contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
of stream-combine has malicious code design to steal credentials and credit card information.This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen.
All versions of 4equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of saync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requet typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of wepack-cli typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
of rimrafall contains malicious code as a preinstall script. The package attempts to remove all files in the system's root folder. If you installed this package it is likely your machine was erased. If not, remove the package from your system and verify if any files were deleted.
All versions of asynnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
Versions of graphql-code-generator have an Insecure Default Configuration. The packages sets NODE_TLS_REJECT_UNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process.
A Lucky timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.
The sf_event_mgt (aka Event management and registration) extension before 4.3.1 and 5.x before 5.1.1 for TYPO3 allows Information Disclosure (participant data, and event data via email) because of Broken Access Control.
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in static-eval.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in value-censorship.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in kraken-api.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in froever.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wangeditor.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yeoman-genrator.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sandbox.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in colour-string.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-ports.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tomato.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in commander-js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in browserift.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in colro-name.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bowee.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bestzip.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pomelo-monitor.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pi_video_recording.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in logsymbles.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tensorplow.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in office-converter.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jqeury.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hulp.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in loopback-connector-mongodb.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cocos-utils.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uglyfi-js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bowe.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jquerz.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in express-cart.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ag-grid-community.
Improper Neutralization in semantic-ui-search.
Improper Neutralization in mermaid.
Improper Neutralization in fomantic-ui.
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges. For loopback, upgrade to or later For loopback, upgrade to or later
Versions of googleapis are vulnerable to Improper Authorization. Setting credentials to one client may apply to all clients which may cause requests to be sent with the incorrect credentials.
Versions of preact on prerelease tags alpha and beta are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization. Upgrade to .
Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later.
Versions of ipfs-bitswap are vulnerable to Denial of Service (DoS). The package put unwanted blocks in the blockstore, which could be used to exhaust system resources in specific conditions. Upgrade to or later.
All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest (XHR) to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to include malicious payloads as part of query parameters that are reflected back to the user. A response such as {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be …
Versions of google-closure-library prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The safedomtreeprocessor.processToString() function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting. Recommendation Upgrade to version 20190301.0.0 or later.
All versions of buttle are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.
Versions of bootstrap-vue are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization, components may be vulnerable to Cross-Site Scripting through the options variable. This may lead to the execution of malicious JavaScript on the user's browser.
Ignite Realtime Openfire has a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameters searchName, searchValue, searchDescription, searchDefaultValue, searchPlugin, searchDescription and searchDynamic in the Server Properties and Security Audit Viewer JSP page.
In Ignite Realtime Openfire, a stored cross-site scripting vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameters searchName and alias in the import certificate trusted page.
A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request searchName, searchValue, searchDescription, searchDefaultValue,searchPlugin, searchDescription and searchDynamic in server-properties.jsp and security-audit-viewer.jsp
Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory. For decompress-zip upgrade to or later. For decompress-zip upgrade to or later.
Affected versions of rendr are vulnerable to cross-site scripting when client side rendering is done inside a _block. Server side rendering is not affected and is properly escaped. Recommendation Update to version 1.1.4 or later.
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).
Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using ST_GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText. Recommendation Update to version 3.23.6 or later.
Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. Recommendation It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then. At this time, the best available …
Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do not install this module, and remove it if found.
Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure. When a number is passed to api_key, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded). Proof of concept: var openwhisk = require('openwhisk'); var options = { apihost: '127.0.0.1:1433', api_key: USERSUPPLIEDINPUT // number }; var ow = openwhisk(options); ow.actions.invoke({actionName: 'sample'}).then(result => console.log(result)) Recommendation Update to version 3.3.1 or later.
Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 or later.
Relative Path Traversal in express-cart.
Affected versions of redis-commander contain a cross-site scripting vulnerability in the highlighterId paramter of the clipboard.swf component on hosts serving Redis Commander.
All versions of merge-objects are vulnerable to Prototype Pollution. ## Recommendation No fix is available for this vulnerability at this time. It is our recommendation to use an alternative package.
This affects all versions of package github.com/u-root/u-root/pkg/cpio. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction.
This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.
The package github.com/u-root/u-root/pkg/tarutil is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction.
Versions of njwt are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function. On Node.js or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.
Versions of base64url are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js. ## Recommendation Update to or later.
Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. These operators can be used to extract the value of the field blindly in the same manner of …
Jenkins Team Foundation Server Plugin stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
Jenkins SoapUI Pro Functional Testing Plugin stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
The Jenkins Parameterized Remote Trigger Plugin stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
A missing permission check in the Jenkins database plugin allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials.
nothing-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.
All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account. This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.
of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens
of eslint-config-airbnb-standard was published with a bundled version of eslint-scope that was found to contain malicious code. This code would read the users .npmrc file and send it's contents to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens and use a different version of the module. You can find instructions on how to do …
ladder-text-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.
Affected versions of ezseed-transmission download and run a script over an HTTP connection. An attacker in a privileged network position could launch a Man-in-the-Middle attack and intercept the script, replacing it with malicious code, completely compromising the system running ezseed-transmission. Recommendation Update to version 0.0.15 or later.
An issue was discovered in Django (when Python + is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
An issue was discovered in Django (when Python + is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
The Jenkins Klocwork Analysis Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
The Jenkins Valgrind Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape() which could lead to SQL Injection.
apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in s3asy.
node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soket.io.
windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dictum.js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in getcookies.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in css_transform_step.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in foever.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coffee-project.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ascii-art.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in xoc.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-bmap.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @impala/bmap.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in css_transform_support.
The npm-test-sqlite3-trunk module provides asynchronous, non-blocking SQLite3 bindings. npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in awesome_react_utility.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in json-serializer.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-server-native.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dynamo-schema.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cordova-plugin-china-picker.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in oauth-validator.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jasmin.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-material-sidenav-rnd.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nginxbeautifier.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in freshdom.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pidusage.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dossier.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in another-date-picker.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in modlibrary.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rc-calendar-jhorst.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in impala.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in flatmap-stream.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in simple-alipay.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in axois.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in blingjs.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in codify.
pm2-kafka is a PM2 module that installs and runs a kafka server pm2-kafka downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in regenraotr.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-dates-sc.
apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soket.js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in regenrator.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in another-date-range-picker.
Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element.
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mrk.js.
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react-marked-markdown.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in md-data-table.
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jingo.
Improper Neutralization in buefy.
The promisehelpers package is vulnerable to Prototype Pollution via the insert function.
The gammautils package is vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.
The confucious package is vulnerable to Prototype Pollution via the set function.
The deeps package is vulnerable to Prototype Pollution via the set function.
The safe-object2 package is vulnerable to Prototype Pollution via the setter function.
The gedi package is vulnerable to Prototype Pollution via the set function.
Improper Input Validation in personnummer.
The locutus package is vulnerable to Prototype Pollution via the php.strings.parse_str function.
The dot-notes package is vulnerable to Prototype Pollution via the create function.
The node-oojs package is vulnerable to Prototype Pollution via the setPath function.
The tiny-conf package is vulnerable to Prototype Pollution via the set function.
The arr-flatten-unflatten package is vulnerable to Prototype Pollution via the constructor.
ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.
The package node-forge is vulnerable to Prototype Pollution via the util.setPath function. Note, it is a breaking change removing the vulnerable functions.
The nodee-utils package is vulnerable to Prototype Pollution via the deepSet function.
The worksmith package is vulnerable to Prototype Pollution via the setValue function.
The deep-get-set package is vulnerable to Prototype Pollution via the main function.
MAGMI is vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections where the default is and is lower than Apache (or another web server) setting for MaxRequestWorkers, formerly MaxClients, where the default is This can be done by sending at least simultaneous requests to the Magento …
Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort. Recommendation Update to version 3.0.0 or later.
A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.
In Apache Cassandra, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables …
All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a byte value being returned, but one that is easily guessable. Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances …
adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks. This impacts the integrity and availability of this geoip data that may alter the decisions made by an application using this data.
Affected versions of yjmyjmyjm resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …
Affected versions of wenluhong1 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …
Affected versions of nodeload-nmickuli resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …
Affected versions of featurebook resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. The featurebook package is not intended to be run in production code nor to be exposed to an untrusted network. Proof of Concept GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo …
The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files. Mitigating Factors: If the node process is run as a user with very limited …
Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value. When an invalid encryped session cookie value is provided, the process will crash. Recommendation Update to version 2.2.0 or later.
Affected versions of mqtt will cause the node process to crash when receiving specially crafted MQTT packets, making the application vulnerable to a denial of service condition. Recommendation Update to v1.0.0 or later
All versions of markdown-it-toc-and-anchor are vulnerable to Denial of Service. Parsing markdown containing text+@[toc] causes the application to enter and infinite loop. No fix is currently available. Consider using an alternative module until a fix is made available.
Affected versions of swagger-ui are vulnerable to cross-site scripting in both the consumes and produces parameters of the swagger JSON document for a given API. Additionally, swagger-ui allows users to load arbitrary swagger JSON documents via the query string parameter url, allowing an attacker to exploit this attack against any user that the attacker can convince to visit a crafted link. Proof of Concept http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json Recommendation Update to version 2.2.1 …
Affected versions of swagger-ui are vulnerable to cross-site scripting via the url query string parameter. Recommendation Update to 2.2.1 or later.
Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included. An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a swagger-ui URL that includes the location to their server/script in the url query string parameter. …
Affected versions of fuelux contain a cross-site scripting vulnerability in the Pillbox feature. By supplying a script as a value for a new pillbox, it is possible to cause arbitrary script execution. Recommendation Update to version 3.15.7 or later.
Affected versions of emojione are vulnerable to cross-site scripting when user input is passed into the toShort(), shortnameToImage(), unicodeToImage(), and toImage() functions. Recommendation Update to version 1.3.1 or later.
Affected versions of c3 are vulnerable to cross-site scripting via improper sanitization of HTML in rendered tooltips. Recommendation Update to 0.4.11 or later.
All versions of bootstrap-tagsinput are vulnerable to cross-site scripting when user input is passed into the itemTitle parameter unmodified, as the package fails to properly sanitize or encode user input for that parameter. Recommendation This package is not actively maintained, and has not seen an update since 2015. Because of this, the simplest mitigation is to avoid using the itemTitle parameter. With over 200 open issues and over 100 open …
Affected versions of pivottable are vulnerable to cross-site scripting, due to a new mechanism used to render JSON elements. Recommendation Update to version 2.0.0 or later.
Jenkins JSGames Plugin evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability.
Jenkins Cadence vManager Plugin does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
The Jenkins Valgrind Plugin does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.
Jenkins Git Parameter Plug does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Jenkins Build Failure Analyzer Plugin does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.
MAGMI is vulnerable to CSRF due to the lack of anti-CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin allows attackers to execute arbitrary SQL scripts.
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin allows attackers to connect to an attacker-specified database server using attacker-specified credentials.
Versions of samsung-remote are vulnerable to command injection. This vulnerability is exploitable if user input is passed into the ip option of the package constructor. Update to or later.
Jenkins SoapUI Pro Functional Testing Plugin transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.
The Jenkins SoapUI Pro Functional Testing Plugin transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.
Versions of serve before 6.5.2 are vulnerable to the bypass of the ignore functionality. The bypass is possible because validation happens before canonicalization of paths and filenames. Example: Here we have a server that ignores the file test.txt. const serve = require('serve') const server = serve(__dirname, { port: 1337, ignore: ['test.txt'] }) Using the URL encoded form of a letter (%65 instead of e) attacker can bypass the ignore control …
ep_imageconvert is a plugin for Etherpad Lite. ep_imageconvert <= 0.0.2 is vulnerable to remote command injection. Authentication is not required for remote exploitation. Recommendation Update to version 0.0.3 or greater.
Versions of validator prior to 3.22.1 are affected by a regular expression denial of service vulnerability in the isURL method. Recommendation Update to version 3.22.1 or later.
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.
scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands.
node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.
The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when showHidden is false.
Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory.
paypal-ipn before 3.0.0 uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.
Dolibarr is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.
Cross-Site Request Forgery (CSRF) in jquery-ujs.
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with …
A buffer over-read vulnerability exists in bl which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
This affects the package json. It is possible to inject arbritary commands using the parseLookup function.
This advisory has been marked as a false positive.
MPXJ suffers from XXE vulnerabilities. This affects the GanttProjectReader and PhoenixReader components.
The Spinnaker template resolution functionality is vulnerable to Server-Side Request Forgery (SSRF), which allows an attacker to send requests on behalf of Spinnaker potentially leading to sensitive data disclosure.
An XSS vulnerability was discovered in noVNC in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
baserCMS content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js.
baserCMS is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components is toolbar.php.
baserCMS is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The affected components are ThemeFilesController.php and UploaderFilesController.php.
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the ps bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine as well as …
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in flood.
An issue was discovered in MoscaJS Aedes lib/write.js does not properly consider exceptions during the writing of an invalid packet to a stream.
In the nodebb-plugin-blog-comments, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.
In nodebb-plugin-blog-comments, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.
In Netwide Assembler (NASM) rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c.
GNU Bison has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated …
In Netwide Assembler (NASM), SEGV can be triggered in tok_text in asm/preproc.c by accessing READ memory.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in highcharts.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
A Cross Site Scripting vulnerability was found in Codiad. The vulnerability occurs because of improper sanitization of the folder name $path variable in components/filemanager/class.filemanager.php.
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors."
wolfSSL mishandles TLS server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS client state machine. This allows attackers in a privileged network position to completely impersonate any TLS servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by …
TUF (aka The Update Framework) allows Uncontrolled Resource Consumption.
An RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module leaderboard command. By abusing this exploit it is possible to perform destructive actions and/or access sensitive information.
TUF (aka The Update Framework) has Improper Verification of a Cryptographic Signature.
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates.
The Management Console in WSO2 API Manager allows XML External Entity injection (XXE) attacks.
The Management Console in WSO2 API Manager allows XML Entity Expansion attacks.
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates.
Dolibarr CRM allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which disabled is changed to enabled in the HTML source code.
This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine.
wolfSSL mishandles the change_cipher_spec (CCS) message processing logic for TLS If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.
An issue was discovered in the DTLS handshake implementation in wolfSSL. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application.
An issue was discovered in wolfSSL when single precision is not employed. signing with a private key).
Red Discord Bot has a Remote Code Execution vulnerability in the Streams module. This exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. As a workaround, unloading the Trivia module with unload streams can render this exploit not accessible.
In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.
In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.
Magento allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks.
This advisory has been marked as a false positive.
HashiCorp vault-ssh-helper up to and including version incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP address assigned to that interface.