Advisories

Sep 2020

Malicious Package

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

Malicious Package

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

Malicious Package

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

Malicious Package

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

Malicious Package

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

Malicious Package

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

Malicious Package

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

Malicious Package

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

Malicious Package

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

Malicious Package

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

Malicious Package

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

Malicious Package

of leetlog contain malicious code. The package adds an arbitrary hardcoded SSH key identified as hacker@evilmachine to the system's authorized_keys ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

Machine-In-The-Middle in airtable

Affected versions of airtable are vulnerable to Machine-In-The-Middle. The package has SSL certificate validation disabled by default unintentionally. This may allow attackers in a privileged network position to decrypt intercepted traffic.

Local File Inclusion in domokeeper

All versions of domokeeper are vulnerable to Local File Inclusion. The /plugin/ route passes a GET parameter unsanitized to a require() call. It then returns the output of require() in the server response. This may allow attackers to load unintended code in the application. It also allows attackers to exfiltrate information in .json files. No fix is currently available. Consider using an alternative package until a fix is made available.

Improper Authorization in react-oauth-flow

All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. No fix is currently available. Consider using an alternative module until a fix is made available.

Improper Authorization in @sap-cloud-sdk/core

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt() function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT. Upgrade to or later.

HTML Injection in marky-markdown

All versions of marky-markdown are vulnerable to HTML Injection. The package fails to sanitize style attributes in img tags of the markdown input. This may allow attackers to affect the size of images in the rendered HTML. ## Recommendation This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

HTML Injection in marky-markdown

All versions of marky-markdown are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is youtube.com but it is possible to bypass the validation with sources where youtube.com is the sub-domain, such as youtube.com.evil.co. This This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

Denial of Service in sequelize

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. The following proof-of-concept crashes the Node process: const Sequelize = require('sequelize'); const sequelize …

Denial of Service in mongodb

Versions of mongodb are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Upgrade to or later.

Denial of Service in http-live-simulator

Versions of http-live-simulator prior to 1.0.8 are vulnerable to Denial of Service. The package fails to catch an exception that causes the Node process to crash, effectively shutting down the server. This allows an attacker to send an HTTP request that crashes the server. Recommendation Upgrade to version 1.0.8 or later.

Denial of Service in hapi

All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services. Recommendation This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.

Denial of Service in handlebars

Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Recommendation Upgrade to version 4.4.5 or later.

Denial of Service in grpc-ts-health-check

Versions of grpc-ts-health-check are vulnerable to Denial of Service. The package exposes an API endpoint that may allow attackers to set the service's health status to failing. This can lead to Denial of Service as Kubernetes blocks traffic to services with a failing status. Upgrade to or later.

Denial of Service in apostrophe

Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory. Recommendation Upgrade to version 2.97.1 or later.

Denial of Service in ammo

All versions of ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an …

Denial of Service in @hapi/hapi

Versions of @hapi/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Denial of Service in @hapi/ammo

Versions of @hapi/ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …

Denial of Service in @commercial/hapi

Affected versions of @commercial/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Cross-Site Scripting in mavon-editor

All versions of mavon-editor are vulnerable to Cross-Site Scripting. The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. No fix is currently available. Consider using an alternative package until a fix is made available.

Cross-Site Scripting in markdown-to-jsx

Versions of markdown-to-jsx are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload. Upgrade to or later.

Cross-Site Scripting in lazysizes

Versions of lazysizes prior to 5.2.1-rc1 are vulnerable to Cross-Site Scripting. The video-embed plugin fails to sanitize the following attributes: data-vimeo, data-vimeoparams, data-youtube and data-ytparams. This allows attackers to execute arbitrary JavaScript in a victim's browser if the attacker has control over the vulnerable attributes. Recommendation Upgrade to version 5.2.1-rc1 or later.

Cross-site Scripting

The Advanced Reports module for SilverStripe is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. This affects admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item (report preview) when an SVG document is provided in the Description parameter.

Configuration Override in helmet-csp

Versions of helmet-csp before to are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting. Upgrade to or later. Setting the browserSniff configuration to false in vulnerable versions also mitigates the issue.

Command Injection in expressfs

All versions of expressfs are vulnerable to Command Injection. expressfs.cp, expressfs.create and expressfs.rmdir. No fix is currently available. Consider using an alternative module until a fix is made available.

Command Injection in addax

Versions of addax are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary commands in the system. Upgrade to or later.

Authorization Bypass in graphql-shield

Versions of graphql-shield are vulnerable to an Authorization Bypass. The rule caching option no_cache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision.

Authentication Bypass in saml2-js

Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely. Recommendation Upgrade to version 2.0.5 or later.

Authentication Bypass in otpauth

Versions of otpauth are vulnerable to Authentication Bypass. The package's totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.

Use After Free

Object lifetime issue in Blink in Google Chrome allowed a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.

Unrestricted Upload of File with Dangerous Type

Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, an .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

Unauthorized File Access in glance

Versions of glance prior to 3.0.7 are vulnerable to Unauthorized File Access. The package provides a –nodot option meant to hide files and directories with names that begin with a ., such as .git but fails to hide files inside a folder that begins with .. Recommendation Upgrade to version 3.0.7 or later.

Sensitive Data Exposure in loopback

Versions of loopback (3.x) (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. If you're using loopback upgrade to or later. If you're using loopback upgrade to or later.

Prototype Pollution in smart-extend

All versions of smart-extend are vulnerable to Prototype Pollution. The deep() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.

Malicious Package

All versions of jajajejejiji typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of erquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of requets typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of discord_debug_log contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

Malicious Package

All versions of eact typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of asinc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of reqquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

The package destroyer-of-worlds contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX systems. Remove the package from your environment and perform additional incident response on your system's files and processes.

Malicious Package

All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of rrgod are considered malicious. The package is malware designed to run arbitrary scripts. When installed, the package downloads an arbitrary file and executes its contents as a pre, post and install scripts. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response …

Malicious Package

All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of asycn typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of portionfatty12 are considered malicious. The package is malware designed to steal user's data. When installed it uploads the user's public SSH keys to a remote server. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response (such as rotating all credentials found …

Malicious Package

All versions of asyync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of reequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of reqest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of asymc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of rrequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of carloprojectdiscord contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

Malicious Package

All versions of requesst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of calk typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of commnader typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of momen typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of requset typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

of font-scrubber contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should …

Malicious Package

All versions of whiteproject contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

Malicious Package

The package donotinstallthis contained malicious code. The package contained a script that was run as part of the install script. The script contacted a remote service tracking how many installations were done. There is no further compromise. Remove the package from your environment.

Malicious Package

All versions of asnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of experss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of asnyc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of chak typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of exprss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of aysnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of requuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of requeest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of reques typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of requestt typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of carloprojectlesang contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

Malicious Package

of stream-combine has malicious code design to steal credentials and credit card information.This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen.

Malicious Package

All versions of 4equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of saync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of requet typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

All versions of wepack-cli typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Malicious Package

of rimrafall contains malicious code as a preinstall script. The package attempts to remove all files in the system's root folder. If you installed this package it is likely your machine was erased. If not, remove the package from your system and verify if any files were deleted.

Malicious Package

All versions of asynnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Information Exposure Through Discrepancy

A Lucky timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.

Improper Removal of Sensitive Information Before Storage or Transfer

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Cross-boundary Removal of Sensitive Data

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Cross-boundary Removal of Sensitive Data

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Cross-boundary Removal of Sensitive Data

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Cross-boundary Removal of Sensitive Data

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Cross-boundary Removal of Sensitive Data

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Cross-boundary Removal of Sensitive Data

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Authorization in loopback

Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges. For loopback, upgrade to or later For loopback, upgrade to or later

HTML Injection in preact

Versions of preact on prerelease tags alpha and beta are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization. Upgrade to .

Denial of Service in serialize-to-js

Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later.

Cross-Site Scripting in jquery-mobile

All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest (XHR) to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to include malicious payloads as part of query parameters that are reflected back to the user. A response such as {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be …

Cross-Site Scripting in google-closure-library

Versions of google-closure-library prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The safedomtreeprocessor.processToString() function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting. Recommendation Upgrade to version 20190301.0.0 or later.

Cross-Site Scripting in buttle

All versions of buttle are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.

Cross-Site Scripting in bootstrap-vue

Versions of bootstrap-vue are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization, components may be vulnerable to Cross-Site Scripting through the options variable. This may lead to the execution of malicious JavaScript on the user's browser.

Cross-site Scripting

Ignite Realtime Openfire has a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameters searchName, searchValue, searchDescription, searchDefaultValue, searchPlugin, searchDescription and searchDynamic in the Server Properties and Security Audit Viewer JSP page.

Cross-site Scripting

A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request searchName, searchValue, searchDescription, searchDefaultValue,searchPlugin, searchDescription and searchDynamic in server-properties.jsp and security-audit-viewer.jsp

Arbitrary File Overwrite in decompress-zip

Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory. For decompress-zip upgrade to or later. For decompress-zip upgrade to or later.

Unsafe Merging of CORS Configuration Conflict in hapi

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

SQL Injection via GeoJSON in sequelize

Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using ST_GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText. Recommendation Update to version 3.23.6 or later.

Spoofing attack due to unvalidated KDC in node-krb5

Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. Recommendation It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then. At this time, the best available …

Silently Runs Cryptocoin Miner in hooka-tools

Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do not install this module, and remove it if found.

Remote Memory Exposure in openwhisk

Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure. When a number is passed to api_key, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded). Proof of concept: var openwhisk = require('openwhisk'); var options = { apihost: '127.0.0.1:1433', api_key: USERSUPPLIEDINPUT // number }; var ow = openwhisk(options); ow.actions.invoke({actionName: 'sample'}).then(result => console.log(result)) Recommendation Update to version 3.3.1 or later.

Remote Memory Exposure in mongoose

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 or later.

Path Traversal

This affects all versions of package github.com/u-root/u-root/pkg/cpio. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction.

Out-of-bounds Read in njwt

Versions of njwt are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function. On Node.js or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.

NoSQL injection in express-cart

Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. These operators can be used to extract the value of the field blindly in the same manner of …

Malicious Package

nothing-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.

Malicious Package

All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account. This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.

Malicious Package

of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

Malicious Package

of eslint-config-airbnb-standard was published with a bundled version of eslint-scope that was found to contain malicious code. This code would read the users .npmrc file and send it's contents to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens and use a different version of the module. You can find instructions on how to do …

Malicious Package

ladder-text-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The npm-test-sqlite3-trunk module provides asynchronous, non-blocking SQLite3 bindings. npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

pm2-kafka is a PM2 module that installs and runs a kafka server pm2-kafka downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

Improper Input Validation

uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.

Improper Authentication

MAGMI is vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections where the default is and is lower than Apache (or another web server) setting for MaxRequestWorkers, formerly MaxClients, where the default is This can be done by sending at least simultaneous requests to the Magento …

Forgeable Public/Private Tokens in jws

Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort. Recommendation Update to version 3.0.0 or later.

Exposure of Resource to Wrong Sphere

In Apache Cassandra, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables …

Entropy Backdoor in text-qrcode

All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a byte value being returned, but one that is easily guessable. Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances …

Downloads Resources over HTTP in adamvr-geoip-lite

adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks. This impacts the integrity and availability of this geoip data that may alter the decisions made by an application using this data.

Directory Traversal in yjmyjmyjm

Affected versions of yjmyjmyjm resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Directory Traversal in wenluhong1

Affected versions of wenluhong1 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Directory Traversal in nodeload-nmickuli

Affected versions of nodeload-nmickuli resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Directory Traversal in featurebook

Affected versions of featurebook resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. The featurebook package is not intended to be run in production code nor to be exposed to an untrusted network. Proof of Concept GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo …

Directory Traversal in @vivaxy/here

The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files. Mitigating Factors: If the node process is run as a user with very limited …

Denial of Service in yar

Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value. When an invalid encryped session cookie value is provided, the process will crash. Recommendation Update to version 2.2.0 or later.

Denial of Service in mqtt

Affected versions of mqtt will cause the node process to crash when receiving specially crafted MQTT packets, making the application vulnerable to a denial of service condition. Recommendation Update to v1.0.0 or later

Cross-Site Scripting in swagger-ui

Affected versions of swagger-ui are vulnerable to cross-site scripting in both the consumes and produces parameters of the swagger JSON document for a given API. Additionally, swagger-ui allows users to load arbitrary swagger JSON documents via the query string parameter url, allowing an attacker to exploit this attack against any user that the attacker can convince to visit a crafted link. Proof of Concept http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json Recommendation Update to version 2.2.1 …

Cross-Site Scripting in swagger-ui

Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included. An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a swagger-ui URL that includes the location to their server/script in the url query string parameter. …

Cross-Site Scripting in fuelux

Affected versions of fuelux contain a cross-site scripting vulnerability in the Pillbox feature. By supplying a script as a value for a new pillbox, it is possible to cause arbitrary script execution. Recommendation Update to version 3.15.7 or later.

Cross-Site Scripting in emojione

Affected versions of emojione are vulnerable to cross-site scripting when user input is passed into the toShort(), shortnameToImage(), unicodeToImage(), and toImage() functions. Recommendation Update to version 1.3.1 or later.

Cross-Site Scripting in c3

Affected versions of c3 are vulnerable to cross-site scripting via improper sanitization of HTML in rendered tooltips. Recommendation Update to 0.4.11 or later.

Cross-Site Scripting in bootstrap-tagsinput

All versions of bootstrap-tagsinput are vulnerable to cross-site scripting when user input is passed into the itemTitle parameter unmodified, as the package fails to properly sanitize or encode user input for that parameter. Recommendation This package is not actively maintained, and has not seen an update since 2015. Because of this, the simplest mitigation is to avoid using the itemTitle parameter. With over 200 open issues and over 100 open …

Byass due to validation before canonicalization in serve

Versions of serve before 6.5.2 are vulnerable to the bypass of the ignore functionality. The bypass is possible because validation happens before canonicalization of paths and filenames. Example: Here we have a server that ignores the file test.txt. const serve = require('serve') const server = serve(__dirname, { port: 1337, ignore: ['test.txt'] }) Using the URL encoded form of a letter (%65 instead of e) attacker can bypass the ignore control …

Aug 2020

Improper Authentication

paypal-ipn before 3.0.0 uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.

Cross-site Scripting

Dolibarr is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.

Cross-Site Request Forgery (CSRF)

Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with …

Out-of-bounds Read

A buffer over-read vulnerability exists in bl which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Cross-site Scripting

baserCMS is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The affected components are ThemeFilesController.php and UploaderFilesController.php.

Session Hijacking

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

Session Hijacking

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

Session Hijacking

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

Session Hijacking

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

Cross-site Scripting

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

OS Command Injection

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the ps bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine as well as …

Use After Free

GNU Bison has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated …

Cross-site Scripting

A Cross Site Scripting vulnerability was found in Codiad. The vulnerability occurs because of improper sanitization of the folder name $path variable in components/filemanager/class.filemanager.php.

Server-Side Request Forgery (SSRF)

** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors."

Improper Certificate Validation

wolfSSL mishandles TLS server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS client state machine. This allows attackers in a privileged network position to completely impersonate any TLS servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.

Cross-Site Request Forgery (CSRF)

** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by …

Remote Code Execution in Red Discord Bot

A RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Remote Code Execution in Red Discord Bot

A RCE exploit has been discovered in the Streams module: this exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Incorrect threshold signature computation in TUF

Metadadata signature verification, as used in tuf.client.updater, counted each of multiple signatures with identical authorized keyids separately towards the threshold. Therefore, an attacker with access to a valid signing key could create multiple valid signatures in order to meet the minimum threshold of keys before the metadata was considered valid. The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.

Improper Input Validation

wolfSSL mishandles the change_cipher_spec (CCS) message processing logic for TLS If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.

Cryptographic Issues

An issue was discovered in the DTLS handshake implementation in wolfSSL. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application.

Client Denial of Service on TUF

An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if …

Path Traversal in openapi-python-client

Path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. Giving this a CVSS score of 3.0 (Low) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:U/RC:C

Injection Vulnerability

In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

Injection Vulnerability

In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

Cross-site Scripting

In auth0-lock dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

Cross-Site Request Forgery (CSRF)

OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.

Server-Side Request Forgery (SSRF)

ftp-srv is vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration.

Path Traversal

The resolveRepositoryPath function does not properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.

Cross-site Scripting

A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.

Cross-site Scripting

A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.

Cross-site Scripting

Jenkins does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

Authentication Bypass by Spoofing

Concourse, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

Improper Initialization

An improperly initialized migrationAuth' value in Google's go-tpm library can lead an eavesdropping attacker to discover the authvalue for a key created with CreateWrapKey. An attacker listening in on the channel can collect bothencUsageAuthandencMigrationAuth, and then can calculate usageAuth ^ encMigrationAuthas themigrationAuthcan be guessed for all keys created withCreateWrapKey`.

Cross-site Scripting

TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

Cross-site Scripting

TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

Cross-site Scripting

Prism is vulnerable to Cross-Site Scripting. The easing preview of the previewer plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

Uncontrolled Resource Consumption

The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.

Improper Authentication

In etcd, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the –endpoints flag. This has been fixed with improved documentation and deprecation of the functionality.

Reliance on Cookies without Validation and Integrity Checking

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned …

Operation on a Resource after Expiration or Release

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 …

Missing Authentication for Critical Function

In Contour (Ingress controller for Kubernetes), a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint …

Generation of Error Message Containing Sensitive Information

In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a 400 error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the …

Deserialization of Untrusted Data

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be …