Code injection

The use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CV...

Node.js Security Vulnerabilities

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js versions 16.x, 18.x, and 20.x that stems from the ability to bypass the policy mechanism and define modules other than those given...

SUSE CVE-2023-32006

The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note th...

The vulnerability of the web server of the microprogramming software for the processor module control units of Siemens SICAM CP-8031 and CP-8050 allows a hacker to increase their privileges.

The vulnerability of web servers with microprogramming software and Siemens SICAM CP-8031/CP-8050 processor module controllers is related to the use of rigidly encrypted login data. Exploiting this vulnerability can allow attackers to increase their privileges...

The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, tvOS, macOS, watchOS, and the Safari browser allows attackers to circumvent existing security restrictions.

The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, tvOS, macOS, watchOS, and the Safari browser is related to security configuration errors. Exploiting this vulnerability can allow a remote attacker to bypass existing security restrictions...

Unsanitized user controlled input in module generation

Impact The import-in-the-middle loader used by @opentelemetry/instrumentation works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes...

GHSA-F8PQ-3926-8GX5 Unsanitized user controlled input in module generation

Impact The import-in-the-middle loader used by @opentelemetry/instrumentation works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes...

CLSA-2023-1691606104 openssh: Fix of CVE-2023-38408

CVE-2023-38408: checks libraries before dlopen and separate ssh-pkcs11-helpers for each p11 module...

CLSA-2023-1691576488 Fix CVE(s): CVE-2023-38408

SECURITY UPDATE: helper programs can dlopen/dlclose any libraries from /usr/lib - debian/patches/CVE-2023-38408-Ensure-FIDO-PKCS11-libraries-contain-expect.patch: checks libraries before dlopen - debian/patches/CVE-2023-38408-Separate-ssh-pkcs11-helpers-for-each-p11-mo.patch: separate...

The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, tvOS, macOS, watchOS, and the Safari browser allows a perpetrator to execute arbitrary code.

The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, tvOS, macOS, watchOS, and the Safari browser is related to the execution of operations outside of the buffer in memory. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

import-in-the-middle has unsanitized user controlled input in module generation

Impact The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an import...

CVE-2023-39532 SES's dynamic import and spread operator provides possible path to arbitrary exfiltration and execution

SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. In version 0.18.0 prior to 0.18.7, 0.17.0 prior to 0.17.1, 0.16.0 prior to 0.16.1, 0.15.0 prior to 0.15.24, 0.14.0 prior to 0.14.5, an 0.13.0 prior to 0.13.5, there is a hole in the confinement of...

Node.js Modules Installed (macOS)

Binary data nodejsmodulesmacinstalled.nbin...

The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, macOS, watchOS, Safari browser allows a perpetrator to execute arbitrary code.

The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, tvOS, macOS, watchOS, and the Safari browser is related to the execution of operations outside of the buffer in memory. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

CVE-2023-38704

import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for...

Input validation

import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for...

CVE-2023-38704

CVE-2023-38704 affects import-in-the-middle (ESM loader). Prior to version 1.4.2 it allows remote code execution when user-supplied input is passed to import(). This vulnerability has been patched in 1.4.2. Affected guidance includes not passing user input to import(), and, if EcmaScript Modules ...

CVE-2023-38704 import-in-the-middle allows unsanitized user controlled input in module generation

import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for...

CVE-2023-38704 import-in-the-middle allows unsanitized user controlled input in module generation

import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for...

New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers

Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap that's engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher...