Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts, including credentials and API tokens. It also downloads malicious files and repackages them...

endroid/qr-code-bundle File Disclosure via logo_path query parameter

Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logopath query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure...

GHSA-MVF6-3F2G-XFXF endroid/qr-code-bundle File Disclosure via logo_path query parameter

Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logopath query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure...

PT-2024-40382 · Unknown · Endroid/Qr-Code-Bundle

Name of the Vulnerable Software and Affected Versions: endroid/qr-code-bundle versions prior to 3.4.2 Description: The issue arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure through the logo path query parameter. Recommendations: For...

CVE-2022-46155

Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLEAPIKEY and...