Malicious code in baileys-cleaner (npm)

The package communicates with a domain associated with malicious activity. It archives /home/container & exfiltrates data to catbox.moe & Firebase, including IP address. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware...

CVE-2024-45489

Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however because of misconfigured Firebase ACLs, it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and...

CVE-2024-30564

An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method...

CVE-2024-31215

Mobile Security Framework MobSF is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s...

CVE-2024-11023

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "authTokenSyncURL" to point to thei...

CVE-2024-11785

The Integrate Firebase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'firebaseshow' shortcode in all versions up to, and including, 0.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-3202

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatefirebaseserverkey function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via ...

reflex-ai (>=0.1.0a1 <=0.1.0a18), reflex-firebase (>=0.0.1 <=0.0.11) +3 more potentially affected by CVE-2025-47425 via reflex (>=0.6.0a4 <=0.6.2)

reflex PYPI version =0.6.0a4, =0.1.0a1, =0.0.1, =0.0.9, =10.0.11, =10.0.28 Source cves: CVE-2025-47425 Source advisory: SNYK:PYTHON-REFLEX-10442544...

org.webjars.npm:firebase (=10.13.0), org.webjars.npm:firebase__auth (=1.7.7) +7 more potentially affected by CVE-2025-47279 via org.webjars.npm:undici (=5.28.4)

org.webjars.npm:undici MAVEN version =5.28.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:undici and may be impacted: - org.webjars.npm:firebase =10.13.0 - org.webjars.npm:firebaseauth =1.7.7 - org.webjars.npm:firebaseauth-compat...

@oconva/qvikchat (>=1.0.0 <=2.0.0-alpha.4), genkit-intro (=1.0.0) +3 more potentially affected by unknown CVE via @genkit-ai/firebase (=0.5.17)

@genkit-ai/firebase NPM version =0.5.17 is affected by a known vulnerability. The following packages have a transitive dependency on @genkit-ai/firebase and may be impacted: - @oconva/qvikchat =1.0.0, =0.0.1, =1.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-GENKITAIFIREBASE-12671227...

Race Condition

Overview @genkit-ai/firebase is a Genkit AI framework plugin for Firebase including Firestore trace/state store and deployment helpers for Cloud Functions for Firebase. Affected versions of this package are vulnerable to Race Condition via the asynchronous user engagement collection in the...

CVE-2024-7628

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verifyidtoken' function. This makes it possible for unauthenticated attackers to...

CVE-2024-9862

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and t...

CVE-2024-54294

Authentication Bypass Using an Alternate Path or Channel vulnerability in Appgenix Infotech Firebase OTP Authentication authentication-via-otp-using-firebase allows Authentication Bypass.This issue affects Firebase OTP Authentication: from n/a through = 1.0.1...

MAL-2024-11979 Malicious code in firebase-simple-login (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 541b3c62a7c126ad171a84641ec64d4092d4673fad72c457090bbde0110a2fbc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in firebase-simple-login (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 541b3c62a7c126ad171a84641ec64d4092d4673fad72c457090bbde0110a2fbc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2024-54294

Authentication Bypass Using an Alternate Path or Channel vulnerability in Appgenix Infotech Firebase OTP Authentication authentication-via-otp-using-firebase allows Authentication Bypass.This issue affects Firebase OTP Authentication: from n/a through = 1.0.1...

CVE-2024-54294

CVE-2024-54294 affects Firebase OTP Authentication (Firebase OTP Authentication plugin) by appgenixinfotech. Root cause: Missing Authorization to Privilege Escalation, enabling authentication bypass via an alternate path/channel. Impact: total compromise of confidentiality, integrity, and availab...

CVE-2024-54294 WordPress Firebase OTP Authentication plugin <= 1.0.1 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Appgenix Infotech Firebase OTP Authentication authentication-via-otp-using-firebase allows Authentication Bypass.This issue affects Firebase OTP Authentication: from n/a through = 1.0.1...

CVE-2024-54294 WordPress Firebase OTP Authentication plugin <= 1.0.1 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in appgenixinfotech Firebase OTP Authentication allows Authentication Bypass.This issue affects Firebase OTP Authentication: from n/a through 1.0.1...