Command injection

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...

CVE-2021-23326 Command Injection

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...

CVE-2021-23326

The CVE-2021-23326 entry applies to the package @graphql-tools/git-loader prior to 6.2.6. The vulnerability stems from the use of exec and execSync in packages/loaders/git/src/load-git.ts, enabling arbitrary command injection. Impact is described as potential command execution with the associated...

The Guild Graphql Tools 命令注入漏洞

The Guild Graphql Tools is a tool from The Guild that generates graphql query statements based on a specific syntax. A command injection vulnerability exists in graphql-tools/git-loader prior to version 6.2.6, which stems from the use of exec and execSync in packages/loaders/git/src/load-git.ts t...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. As this is a dev tool input is generally controlled by the user that executes the command. Remediation Upgrade...

@corejam/base (>=0.0.1 <=0.0.2), @corejam/cli (>=0.0.1 <=0.0.5) +27 more potentially affected by CVE-2021-23326 via @graphql-tools/git-loader (>=6.0.0-alpha.1 <=6.2.6-alpha-9e1fc254.0)

@graphql-tools/git-loader NPM version =6.0.0-alpha.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =6.0.15, =4.0.1-alpha-0a0f697.0, =4.0.1-alpha-0a0f697.0, =1.13.6-alpha-c74c7b7d.14, =0.0.0-canary.02a53c5, =0.0.1, =1.0.5, =0.0.24, =0.1.0, =1.29.0, =2.0.0-alpha.36 and more Source cves: CVE-2021-23326 Source...

Code injection

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited furth...

CVE-2020-28472

Prototype Pollution vulnerability CVE-2020-28472 affects @aws-sdk/shared-ini-file-loader (&lt; 1.0.0-rc.9) and aws-sdk (

CVE-2020-28472 Prototype Pollution

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited furth...

Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks

Cybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor. Attributing the campaign to Winnti or APT41, Positive Technologies dated the first...

@alwaysai/serverless-component (>=1.19.0 <=1.19.2), @andre.bonna/serverless-next.js (=1.14.1) +318 more potentially affected by CVE-2020-28472 via @aws-sdk/shared-ini-file-loader (>=1.0.0-beta.4 <=1.0.0-rc.8)

@aws-sdk/shared-ini-file-loader NPM version =1.0.0-beta.4, =1.19.0, =1.2.19-preview.112, =1.0.38-preview.116, =1.0.1-preview.0, =1.0.1-preview.0, =1.2.27-preview.116, =1.0.29-preview.139, =1.0.29-preview.139, =1.0.9-preview.5387, =1.0.32-preview.139, =1.2.1-ui-preview.54, =1.0.30-preview.139,...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context. P...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context. P...

The vulnerability of the Firefox, Firefox ESR, and Thunderbird email client’s frame loader allows a hacker to induce a service failure.

The vulnerability of the Firefox, Firefox ESR, and Thunderbird email client’s frame downloaders is related to the use of memory after deallocation. Exploiting this vulnerability can allow a remote attacker to cause service interruptions...

Deserialization of Untrusted Data

Overview pyqlib is an AI-oriented quantitative investment platform. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The workflow function in cli part of qlib was using an unsafe YAML load function. Details Serialization is a process of converting an object...

The vulnerability of the core.arh component of the EKRA 200 microprocessor series allows a hacker to cause a system failure.

The vulnerability of the core.arh component of the microprogramming software for PLC ERCA is related to insufficient processing of input data during updates. Exploiting this vulnerability can allow a malicious actor to cause service failures using a specially crafted HEX/LDR file...

CVE-2019-10328

A flaw was found in the Jenkins Workflow Remote Loader plugin. An unsafe whitelist entry was made that allowed invoking arbitrary methods and bypassing sandbox protection. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

CVE-2019-19872

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE-2019-16364...

The vulnerability of the Installer component in Intel Dynamic Application Loader (DAL) software allows a hacker to enhance their privileges.

The vulnerability of the Installer component in Intel Dynamic Application Loader DAL software is related to deficiencies in access control. Exploiting this vulnerability can allow attackers to enhance their privileges...

Malsmoke operators abandon exploit kits in favor of social engineering scheme

Exploit kits continue to be used as a malware delivery platform. In 2020, weve observed a number of different malvertising campaigns leading to RIG, Fallout, Spelevo and Purple Fox, among others. And, in September, we put out a blog post detailing a surge in malvertising via adult websites. One o...