Advisories

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react.

All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf. ## Recommendation No fix is currently available. Consider using an alternative package …

All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. The package is deprecated and will not be updated. Consider using an alternative package.

Versions of bin-links are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This behavior is still allowed in local installations.

Bundler uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8f89-2fwj-5v5r. This link is maintained to preserve external references. Original Description Versions of klona prior to 1.1.1 are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype when cloning objects, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation Upgrade to …

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function. For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception: curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')" Recommendation …

Versions of @commercial/ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …

All versions of treekill are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation Upgrade to version 1.2.2 or later.

Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade to version 3.0.0-beta.17.8 or later

The package bestzip is vulnerable to Command Injection via the options param.

GNOME project libxml2 has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

libxml2 has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

All versions of express-laravel-passport are vulnerable to an Authentication Bypass. The package fails to properly validate JWTs, allowing attackers to send HTTP requests impersonating other users. Upgrade to or later.

Versions of bin-links are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to overwrite files that already exist. ## Recommendation

All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running. No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of zencashjs may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses …

Versions of node-git-server are vulnerable to Unauthorized File Access. It is possible to access any git repository by using absolute paths, which may allow attackers to access private repositories. Upgrade to or later.

Versions of sails-mysql are vulnerable to SQL Injection. The sort keyword is not properly sanitized and may allow attackers to inject SQL statements and execute arbitrary SQL queries

The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems.

All versions of put are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js Upgrade your Node.js version or consider using an alternative package.

Versions of ibm_db prior to 2.6.0 are vulnerable to Sensitive Data Exposure. The package printed database credentials in plaintext in logs while in debug mode. Recommendation Upgrade to version 2.6.0 or later and ensure sensitive information was not logged.

Versions of showdown are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.

Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Relative Path Traversal in swagger-injector.

Relative Path Traversal in file-static-server.

Relative Path Traversal in sapper.

Relative Path Traversal in restify-swagger-jsdoc.

Relative Path Traversal in ponse.

Relative Path Traversal in public.

Relative Path Traversal in f-serv.

Relative Path Traversal in zero.

Relative Path Traversal in bruteser.

Relative Path Traversal in @wturyn/swagger-injector.

All versions of sql-injection are vulnerable to Regular Expression Denial of Service. The package processes a request's body with regular expressions that may take exponentially longer to execute for large inputs. No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of simple-markdown prior to 0.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). The SimpleMarkdown.defaultInlineParse() function has significantly degraded performance when parsing inline code blocks. Recommendation Upgrade to version 0.5.2 or later.

Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input. Recommendation Upgrade to version 0.7.0 or later.

All versions of subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed. ## Recommendation This package …

All versions of pez are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Affected versions of mithrilare vulnerable to prototype pollution. The function parseQueryString may allow a malicious user to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. A payload such as proto%5BtoString%5D=123 in the query string would change the toString() function to 123. If you are using mithril, upgrade to or later. If you are using mithril, upgrade to or …

Versions of lodash.mergewith are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.mergewith are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.merge are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.merge are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.defaultsdeep are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.defaultsdeep are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of @hapi/subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Versions of @hapi/pez prior to 4.1.2 or 5.0.1 are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Versions of @commercial/subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of anarchy contain malicious code. The package ran rm - rf / as an install script. Remove the package from your environment.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of superhappyfuntime contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

All versions of maybemaliciouspackage contain malicious code. The package prints the system's SSH keys to the console as a postinstall script. ## Recommendation Remove the package from your environment. There are no further signs of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

of load-from-cwd-or-npm contains malicious code. The malware breaks functionality of the purescript-installer package by injecting targeted code. ## Recommendation There is no indication of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of cage-js contains malicious code. The malware downloads and runs a script from a remote server as a postinstall script. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of comander contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of sj-tw-test-security contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

All versions of sdfjghlkfjdshlkjdhsfg contain malicious code. The package is essentially a worm that fetches all packages owned by the user, adds a script to self-replicate as a preinstall script and publishes a new version. ## Recommendation Remove the package from your environment and ensure all packages owned were not impacted.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of discord.js-user contain malicious code. The package uploads the user's Discord token to a remote server. Remove the package from your environment. Ensure any compromised tokens are invalidated.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of nodes.js contain malicious code. The package searches and installs globally thousands of packages based on keywords node, react, react-native, vue, angular and babel to fill the system's memory. Remove the package from your environment and validate what packages are installed.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of malicious-do-not-install contain malicious code. The package copies the contents of /etc/passwd and /etc/shadow to files in the local /tmp/ folder. Remove the package from your environment and rotate affected credentials.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of owl-orchard-apple-sunshine contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of only-test-not-install contain malicious code. The package deletes the folder ~/test from the system as a postinstall script. ## Recommendation Remove the package from your environment. There are no further signs of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

of 8.9.4 contain malicious code as a preinstall script. The package reads the system's SSH keys but does not upload it to a remote server. Remove the package from your environment. There is no evidence of further compromise at the moment.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of maleficent contain malicious code. The package is a demonstration of possible risks when installing npm packages. It gathers system information such as: environment variables, OS information, network interface, AWS credentials, npm credentials and ssh keys. The package prints the information to a local file but does not upload it to a remote server. Remove the package from your environment. There is no further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of sj-tw-sec contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of my-very-own-package contain malicious code. The package sends the output of process.versions, process.arch and process.platform to a remote server in a postinstall script. Remove the package from your environment. There are no further signs of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of sj-tw-abc contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of arsenic-tabasco-cyborg-peanut-butter contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of deasyncp contain malicious code. The package shuts down the machine upon installation as a preinstall script. Remove the package from your environment. There is no further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

of rate-map contains malicious code. The malware breaks functionality of the purescript-installer package by rewriting code of the dl-tar dependency. ## Recommendation There is no indication of further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

of pizza-pasta contains malicious code as a install scripts. The package created folders in the system's Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console. Remove the package from your environment. There are no evidences of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of fast-requests contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

of harmlesspackage contains malicious code as a postinstall script. The package printed a message to the console and performed a GET request to a remote server. Remove the package from your environment. There is no evidence of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

of leetlog contain malicious code. The package adds an arbitrary hardcoded SSH key identified as hacker@evilmachine to the system's authorized_keys ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

Affected versions of airtable are vulnerable to Machine-In-The-Middle. The package has SSL certificate validation disabled by default unintentionally. This may allow attackers in a privileged network position to decrypt intercepted traffic.

All versions of domokeeper are vulnerable to Local File Inclusion. The /plugin/ route passes a GET parameter unsanitized to a require() call. It then returns the output of require() in the server response. This may allow attackers to load unintended code in the application. It also allows attackers to exfiltrate information in .json files. No fix is currently available. Consider using an alternative package until a fix is made available.

The package grunt is vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.`

Versions of simple-crypto-js use AES-CBC with PKCS#7 padding, which is vulnerable to padding oracle attacks. This may allow attackers to break the encryption and access sensitive data.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in local-devices.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in secure_identity_login_module.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bmap.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cal_rd.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sailclothjs.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in qingting.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-node.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in priest-runner.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in mx-nested-menu.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in notevil.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uploader-plugin.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pullit.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cicada-render.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @fangrong/xoc.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in zemen.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tiar.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-wifi.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safer-eval.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in iie-viz.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in libubx.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in json-serializer.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in diamond-clien.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ember_cli_babe.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rpc-websocket.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hsf-clients.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in alipayjsapi.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-pica.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in alico.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-buc.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in smartsearchwp.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ali-contributors.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in marsdb.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safe-eval.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in device-mqtt.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-context-menu.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pyramid-proportion.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-port.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in leaflet-gpx.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in river-mock.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-md.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uglyfi.js.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in luna-mock.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in log-symboles.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jquery-airload.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-rules.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in appx-compiler.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pm-controls.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jekyll-for-github-projects.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in slush-fullstack-framework.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in antd-cloud.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in midway-xtpl.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in m-backdoor.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yeoman-genrator.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ali-contributor.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in retcodelog.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in midway-dataproxy.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in radicjs.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hpmm.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pensi-scheduler.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bb-builder.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vue-backbone.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in hexo-admin.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @toast-ui/editor.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in htmr.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dmn-js-properties-panel.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in snekserve.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in graylog-web-interface.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in takeapeek.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @ionic/core.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cmmn-js-properties-panel.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bleach.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bpmn-js-properties-panel.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dompurify.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bootstrap-select.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @berslucas/liljs.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in console-feed.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jquery.json-viewer.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in eco.

Improper Neutralization in @hapi/accept.

Improper Neutralization in subtext.

Improper Neutralization in @commercial/subtext.

Improper Neutralization in subtext.

Improper Neutralization in @hapi/subtext.

Improper Neutralization in @hapi/subtext.

Improper Neutralization in @commercial/subtext.

All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. No fix is currently available. Consider using an alternative module until a fix is made available.

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt() function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT. Upgrade to or later.

All versions of marky-markdown are vulnerable to HTML Injection. The package fails to sanitize style attributes in img tags of the markdown input. This may allow attackers to affect the size of images in the rendered HTML. ## Recommendation This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

All versions of marky-markdown are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is youtube.com but it is possible to bypass the validation with sources where youtube.com is the sub-domain, such as youtube.com.evil.co. This This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. The following proof-of-concept crashes the Node process: const Sequelize = require('sequelize'); const sequelize …

Versions of mongodb are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Upgrade to or later.

Versions of http-live-simulator prior to 1.0.8 are vulnerable to Denial of Service. The package fails to catch an exception that causes the Node process to crash, effectively shutting down the server. This allows an attacker to send an HTTP request that crashes the server. Recommendation Upgrade to version 1.0.8 or later.

All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services. Recommendation This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.

Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Recommendation Upgrade to version 4.4.5 or later.

Versions of grpc-ts-health-check are vulnerable to Denial of Service. The package exposes an API endpoint that may allow attackers to set the service's health status to failing. This can lead to Denial of Service as Kubernetes blocks traffic to services with a failing status. Upgrade to or later.

Versions of express-fileupload prior to 1.1.6-alpha.6 is vulnerable to Denial of Service. The package causes server responses to be delayed (up to 30s in internal testing) if the request contains a large filename of . characters.

Versions of content are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …

Versions of content are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …

Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory. Recommendation Upgrade to version 2.97.1 or later.

All versions of ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an …

Versions of @hapi/subtext prior to 6.1.3 or 7.0.3 are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application …

Versions of @hapi/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Versions of @hapi/content prior to 4.1.1 and 5.0.1 are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application …

Versions of @hapi/ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …

Affected versions of @commercial/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

All versions of mavon-editor are vulnerable to Cross-Site Scripting. The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of markdown-to-jsx are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload. Upgrade to or later.

Versions of lazysizes prior to 5.2.1-rc1 are vulnerable to Cross-Site Scripting. The video-embed plugin fails to sanitize the following attributes: data-vimeo, data-vimeoparams, data-youtube and data-ytparams. This allows attackers to execute arbitrary JavaScript in a victim's browser if the attacker has control over the vulnerable attributes. Recommendation Upgrade to version 5.2.1-rc1 or later.

The Advanced Reports module for SilverStripe is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. This affects admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item (report preview) when an SVG document is provided in the Description parameter.

Versions of helmet-csp before to are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting. Upgrade to or later. Setting the browserSniff configuration to false in vulnerable versions also mitigates the issue.

All versions of expressfs are vulnerable to Command Injection. expressfs.cp, expressfs.create and expressfs.rmdir. No fix is currently available. Consider using an alternative module until a fix is made available.

Versions of addax are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary commands in the system. Upgrade to or later.

Affected versions of node-weakauras-parser are vulnerable to a Buffer Overflow. The encode_weakaura function fails to properly validate the input size. A buffer of bytes causes an overflow on systems. Upgrade to or later.

Versions of graphql-shield are vulnerable to an Authorization Bypass. The rule caching option no_cache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision.

Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely. Recommendation Upgrade to version 2.0.5 or later.

Versions of otpauth are vulnerable to Authentication Bypass. The package's totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.

Object lifetime issue in Blink in Google Chrome allowed a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.

Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, an .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

Versions of glance prior to 3.0.7 are vulnerable to Unauthorized File Access. The package provides a –nodot option meant to hide files and directories with names that begin with a ., such as .git but fails to hide files inside a folder that begins with .. Recommendation Upgrade to version 3.0.7 or later.

All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. No fix is currently available. Consider using an alternative module until a fix is made available.

Versions of loopback (3.x) (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. If you're using loopback upgrade to or later. If you're using loopback upgrade to or later.

All versions of smart-extend are vulnerable to Prototype Pollution. The deep() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.

All versions of jajajejejiji typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of erquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of requets typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of discord_debug_log contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

All versions of eact typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of asinc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of reqquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

The package destroyer-of-worlds contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX systems. Remove the package from your environment and perform additional incident response on your system's files and processes.

All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of rrgod are considered malicious. The package is malware designed to run arbitrary scripts. When installed, the package downloads an arbitrary file and executes its contents as a pre, post and install scripts. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response …

All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of asycn typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of portionfatty12 are considered malicious. The package is malware designed to steal user's data. When installed it uploads the user's public SSH keys to a remote server. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response (such as rotating all credentials found …

All versions of asyync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of reequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of reqest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of asymc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of rrequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of carloprojectdiscord contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

All versions of requesst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of calk typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of commnader typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of momen typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of requset typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

of font-scrubber contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should …

All versions of whiteproject contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

The package donotinstallthis contained malicious code. The package contained a script that was run as part of the install script. The script contacted a remote service tracking how many installations were done. There is no further compromise. Remove the package from your environment.

All versions of asnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of experss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of asnyc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of chak typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of exprss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of aysnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of requuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of requeest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of reques typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of requestt typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of carloprojectlesang contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

of stream-combine has malicious code design to steal credentials and credit card information.This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen.

All versions of 4equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of saync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of requet typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of wepack-cli typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

of rimrafall contains malicious code as a preinstall script. The package attempts to remove all files in the system's root folder. If you installed this package it is likely your machine was erased. If not, remove the package from your system and verify if any files were deleted.

All versions of asynnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

Versions of graphql-code-generator have an Insecure Default Configuration. The packages sets NODE_TLS_REJECT_UNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process.

A Lucky timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.

The sf_event_mgt (aka Event management and registration) extension before 4.3.1 and 5.x before 5.1.1 for TYPO3 allows Information Disclosure (participant data, and event data via email) because of Broken Access Control.

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in static-eval.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in value-censorship.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in kraken-api.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in froever.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wangeditor.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yeoman-genrator.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sandbox.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in colour-string.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-ports.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tomato.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in commander-js.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in browserift.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in colro-name.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bowee.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bestzip.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pomelo-monitor.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pi_video_recording.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in logsymbles.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tensorplow.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in office-converter.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jqeury.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hulp.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in loopback-connector-mongodb.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cocos-utils.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uglyfi-js.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bowe.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jquerz.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in express-cart.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ag-grid-community.

Improper Neutralization in semantic-ui-search.

Improper Neutralization in mermaid.

Improper Neutralization in fomantic-ui.

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges. For loopback, upgrade to or later For loopback, upgrade to or later

Versions of googleapis are vulnerable to Improper Authorization. Setting credentials to one client may apply to all clients which may cause requests to be sent with the incorrect credentials.

Versions of preact on prerelease tags alpha and beta are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization. Upgrade to .

Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later.

Versions of ipfs-bitswap are vulnerable to Denial of Service (DoS). The package put unwanted blocks in the blockstore, which could be used to exhaust system resources in specific conditions. Upgrade to or later.

All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest (XHR) to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to include malicious payloads as part of query parameters that are reflected back to the user. A response such as {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be …

Versions of google-closure-library prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The safedomtreeprocessor.processToString() function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting. Recommendation Upgrade to version 20190301.0.0 or later.

All versions of buttle are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.

Versions of bootstrap-vue are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization, components may be vulnerable to Cross-Site Scripting through the options variable. This may lead to the execution of malicious JavaScript on the user's browser.

Ignite Realtime Openfire has a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameters searchName, searchValue, searchDescription, searchDefaultValue, searchPlugin, searchDescription and searchDynamic in the Server Properties and Security Audit Viewer JSP page.

In Ignite Realtime Openfire, a stored cross-site scripting vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameters searchName and alias in the import certificate trusted page.

A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request searchName, searchValue, searchDescription, searchDefaultValue,searchPlugin, searchDescription and searchDynamic in server-properties.jsp and security-audit-viewer.jsp

Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory. For decompress-zip upgrade to or later. For decompress-zip upgrade to or later.

Versions of ag-grid prior to 14.0.0 are vulnerable to Cross-Site Scripting (XSS). Grid contents are not properly sanitized and may allow attackers to execute arbitrary JavaScript if user input is rendered in the grid.

Affected versions of rendr are vulnerable to cross-site scripting when client side rendering is done inside a _block. Server side rendering is not affected and is properly escaped. Recommendation Update to version 1.1.4 or later.

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using ST_GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText. Recommendation Update to version 3.23.6 or later.

Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. Recommendation It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then. At this time, the best available …

Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do not install this module, and remove it if found.

Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure. When a number is passed to api_key, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded). Proof of concept: var openwhisk = require('openwhisk'); var options = { apihost: '127.0.0.1:1433', api_key: USERSUPPLIEDINPUT // number }; var ow = openwhisk(options); ow.actions.invoke({actionName: 'sample'}).then(result => console.log(result)) Recommendation Update to version 3.3.1 or later.

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 or later.

Relative Path Traversal in express-cart.

Affected versions of redis-commander contain a cross-site scripting vulnerability in the highlighterId paramter of the clipboard.swf component on hosts serving Redis Commander.

All versions of merge-objects are vulnerable to Prototype Pollution. ## Recommendation No fix is available for this vulnerability at this time. It is our recommendation to use an alternative package.

This affects all versions of package github.com/u-root/u-root/pkg/cpio. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction.

This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.

The package github.com/u-root/u-root/pkg/tarutil is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction.

Versions of njwt are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function. On Node.js or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.

Versions of base64url are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js. ## Recommendation Update to or later.

Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. These operators can be used to extract the value of the field blindly in the same manner of …

Jenkins Team Foundation Server Plugin stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Jenkins SoapUI Pro Functional Testing Plugin stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

The Jenkins Parameterized Remote Trigger Plugin stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

A missing permission check in the Jenkins database plugin allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials.

nothing-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.

All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account. This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.

of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

of eslint-config-airbnb-standard was published with a bundled version of eslint-scope that was found to contain malicious code. This code would read the users .npmrc file and send it's contents to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens and use a different version of the module. You can find instructions on how to do …

ladder-text-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.

Affected versions of ezseed-transmission download and run a script over an HTTP connection. An attacker in a privileged network position could launch a Man-in-the-Middle attack and intercept the script, replacing it with malicious code, completely compromising the system running ezseed-transmission. Recommendation Update to version 0.0.15 or later.

The Jenkins Klocwork Analysis Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

The Jenkins Valgrind Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape() which could lead to SQL Injection.

apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in s3asy.

node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soket.io.

windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dictum.js.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in getcookies.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in css_transform_step.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in foever.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coffee-project.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ascii-art.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in xoc.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-bmap.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @impala/bmap.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in css_transform_support.

The npm-test-sqlite3-trunk module provides asynchronous, non-blocking SQLite3 bindings. npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in awesome_react_utility.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in json-serializer.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-server-native.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dynamo-schema.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cordova-plugin-china-picker.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in oauth-validator.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jasmin.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-material-sidenav-rnd.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nginxbeautifier.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in freshdom.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pidusage.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dossier.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in another-date-picker.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in modlibrary.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rc-calendar-jhorst.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in impala.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in flatmap-stream.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in simple-alipay.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in axois.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in blingjs.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in codify.