[SECURITY] [DSA 4883-1] underscore security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4883-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 01, 2021 https://www.debian.org/security/faq -...

Design/Logic Flaw

It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated...

CVE-2018-1107

It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated...

UBUNTU-CVE-2021-27292

ua-parser-js = 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time...

Debian DSA-4858-1 : chromium - security update

Several vulnerabilities have been discovered in the chromium web browser. - CVE-2021-21148 Mattias Buelens discovered a buffer overflow issue in the v8 JavaScript library. - CVE-2021-21149 Ryoya Tsukasaki discovered a stack overflow issue in the Data Transfer implementation. - CVE-2021-21150 Wooj...

Debian: Security Advisory (DSA-4858-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2021-27405

A ReDoS regular expression denial of service flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js...

Debian DSA-4846-1 : chromium - security update

Several vulnerabilities have been discovered in the chromium web browser. - CVE-2020-16044 Ned Williamson discovered a use-after-free issue in the WebRTC implementation. - CVE-2021-21117 Rory McNamara discovered a policy enforcement issue in Cryptohome. - CVE-2021-21118 Tyler Nighswander discover...

2pg-oauth (>=1.0.0 <=1.0.1), 30s (>=1.5.0 <=1.5.23) +1873 more potentially affected by CVE-2021-21306 via marked (>=1.1.1 <=1.2.9)

marked NPM version =1.1.1, =1.0.0, =1.5.0, =4.11.16, =1.0.1, =0.0.1, =2.4.0, =0.12.4, =4.0.0, =0.1.1, =0.1.10, =0.0.1, =1.0.0, =2.0.0, =3.1.1 - @adonisjs/cli =4.0.13 and more Source cves: CVE-2021-21306 Source advisory: OSV:GHSA-4R62-V4VQ-HR96...

Shinuza Decimal-js Security Vulnerability

Shinuza Decimal-js is a Javascript-based codebase used to provide decimal calculations for Node applications by Shinuza Individual Developers. A security vulnerability exists in Shinuza Decimal-js, which stems from the extend function...

Immer Security Breach

Immer is a Javascript-based state management library for the Immer community. A security vulnerability exists in all versions of Immer. No information about this vulnerability is available at this time, please stay tuned to CNNVD or the vendor's announcement...

date-and-time denial-of-service vulnerability

Date And Time is Date And Time personal developer of a Javascript-based for processing JS date and time Npm code library . A security vulnerability exists in versions prior to date-and-time 0.14.2, which stems from regular expression exception handling involving parsing, resulting in a...

Bigpipe predefine security breach

Bigpipe Predefine is a code library for managing Object.defineProperties objects in the Javascript language by the Bigpipe individual developers. A security vulnerability exists in predefine versions 0.0.0 through 0.1.2 that can be exploited by an attacker to cause a denial of service and...

Mout deepFillIn Code Issue Vulnerability

Mout is a Javascript-based code library from the Mout team that provides modular support for JS programming. Mout suffers from a security vulnerability that stems from the fact that the deepFillIn function can be used to "recursively fill in missing attributes" while deepMixIn "mixes objects into...

0i0 (=1.0.10), @1productaweek/react-stately (>=0.1.1 <=0.1.7) +1068 more potentially affected by CVE-2020-28477 via immer (>=7.0.0 <=8.0.0)

immer NPM version =7.0.0, =0.1.1, =0.1.0, =0.0.3-alpha.52, =0.0.10, =0.0.1, =0.1.0, =0.1.1, =0.97.1-20210526212817, =0.1.0, =2.3.1, =1.0.59, =4.4.2, =4.5.9 and more Source cves: CVE-2020-28477 Source advisory: SNYK:JS-IMMER-1019369...

Regular Expression Denial of Service (ReDoS)

Overview @absolunet/kafe is a Javascript utility library. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. It allows cause a denial of service when validating crafted invalid emails. Details Denial of Service DoS describes a family of attacks, all...

node-oojs-tool (>=1.0.0 <=1.0.11), node-oojs-utility (>=1.0.5 <=1.2.11) +6 more potentially affected by CVE-2020-7721 via node-oojs (=1.4.0)

node-oojs NPM version =1.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on node-oojs and may be impacted: - node-oojs-tool =1.0.0, =1.0.5, =0.0.6, =0.1.0, =0.1.1, =0.1.0, =1.0.0, =1.0.5 Source cves: CVE-2020-7721 Source advisory: SNYK:JS-NODEOOJS-598...

TinyMCE XSS vulnerability on version 4.7.11

h4. Description It seems that Confluence bundles a version of TinyMCE within the editor that has an XSS vulnerability. Confluence version 7.4.1 uses version 0.4.34 of the confluence-editor plugin that includes 4.7.11 of TinyMCE as a dependency Confluence version 7.6.2 uses version 0.4.41 of the...

Debian DSA-4645-1 : chromium - security update

Several vulnerabilities have been discovered in the chromium web browser. - CVE-2019-20503 Natalie Silvanovich discovered an out-of-bounds read issue in the usrsctp library. - CVE-2020-6422 David Manouchehri discovered a use-after-free issue in the WebGL implementation. - CVE-2020-6424 Sergei...

Rocket Loader skimmer impersonates CloudFlare library in clever scheme

Update: The digital certificate issued for https.ps has been revoked by GlobalSign. Fraudsters are known for using social engineering tricks to dupe their victims, often times by impersonating authority figures to instill trust. In a recent blog post, we noted how criminals behind Magecart skimme...