23 matches found
MAL-2025-36067 Malicious code in test-mlw2-queen-ghyll (npm)
The package test-mlw2-queen-ghyll was found to contain malicious code...
Node.js Module vm2 < 3.9.11 Sandbox Breakout
The version of the Node.js module vm2 installed on the remote host is prior to 3.9.11. It is, therefore affected by a sandbox breakout vulnerability. Untrusted code can break out of the sandbox created by the affected vm2 module and execute arbitrary code on the host system. Note that Nessus has...
K50343021: Node-vm2 vulnerability CVE-2022-36067
Security Advisory Description vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was...
Critical RCE Flaw Reported in Spotify's Backstage Software Catalog and Developer Platform
Spotify's Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module. The vulnerability CVSS score: 9.8, at its core, takes advantage of a critical sandbox escape in vm2...
Exploit for Improper Control of Dynamically-Managed Code Resources in Vm2_Project Vm2
Exploit-For-CVE-2022-36067 This repo contains payload for the...
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer operands that use the Box connector may be vulnerable to arbitrary code execution due to [CVE-2022-36067]
Summary Node.js module vm2 is used by the Box connector in IBM App Connect Enterprise Certified Container IntegrationServer operands. IBM App Connect Enterprise Certified Container IntegrationServer operands that use the Box connector may be vulnerable to arbitrary code injection. This bulletin...
Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox
A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host...
CVE-2022-36067
creationtimestamp| type| source ---|---|--- 2022-10-10 12:21:17+00:00| seen| https://t.me/ctinow/68112 2022-10-11 13:49:45+00:00| seen| https://t.me/thehackernews/2658 2022-10-15 13:07:01+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/6979 2022-10-17 10:27:30+00:00|...
Critical: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.1 security update and bug fixes
Multicluster Engine for Kubernetes 2.1.1 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...
Critical: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.2 security and bug fixes
Multicluster Engine for Kubernetes 2.0.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...
CVE-2022-36067 vm2 vulnerable to Sandbox Escape before v3.9.11
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of...
CVE-2022-36067
CVE-2022-36067 (vm2) is a Node.js sandbox vulnerability in the vm2 library. In versions prior to 3.9.11, the sandbox protections can be bypassed, allowing a threat actor to gain remote code execution on the host running the sandbox. The issue has been fixed in vm2 3.9.11. The Initial Description ...
CVE-2022-36067 vm2 vulnerable to Sandbox Escape before v3.9.11
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of...
CVE-2022-36067 vm2 vulnerable to Sandbox Escape before v3.9.11
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of...
CVE-2021-36067
Adobe Bridge version 11.1 and earlier is affected by a memory corruption vulnerability due to insecure handling of a malicious Bridge file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability...
CVE-2021-36067
Adobe Bridge 11.x is affected by a memory corruption/out-of-bounds vulnerability (CVE-2021-36067) in which insecure handling of a malicious Bridge file could lead to arbitrary code execution under the current user. The issue requires user interaction (open/handle a crafted Bridge file) and affect...
Adobe Bridge 11.x < 11.1.1 Multiple Vulnerabilities (APSB21-69)
The version of Adobe Bridge installed on the remote Windows host is prior to 11.1.1. It is, therefore, affected by multiple vulnerabilities as referenced in the apsb21-69 advisory. - Adobe Bridge version 11.1 and earlier is affected by a memory corruption vulnerability due to insecure handling of...
CVE-2020-36067
creationtimestamp| type| source ---|---|--- 2021-01-06 00:44:41+00:00| seen| https://t.me/cibsecurity/21645...
UBUNTU-CVE-2020-36067
GJSON =v1.6.5 allows attackers to cause a denial of service panic: runtime error: slice bounds out of range via a crafted GET call...
CVE-2020-36067
GJSON =v1.6.5 allows attackers to cause a denial of service panic: runtime error: slice bounds out of range via a crafted GET call...