User object created with invalid provider data in GoTrue

Impact What kind of vulnerability is it? Who is impacted? Under certain circumstances a valid user object would have been created with invalid provider metadata. This vulnerability affects everyone running an instance of GoTrue as a service. We advise you to update especially if you are using the...

Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify

We looked into exploitation attempts we observed in the wild and the abuse of legitimate platforms Netlify and GitHub as repositories for malware...

U.S. Dept Of Defense: XSS trigger via HTML Iframe injection in ( https://██████████ ) due to unfiltered HTML tags

Hi team, I found an Iframe injection issue where I chained it and formed an XSS. I found the issue in the text editor area while ███████ing the account. There is a place in the registration area where we have to give a reason for █████████. We can write our reason and edit to show more beautifull...

The vulnerability of the Netlify domain controller, related to improperly configured DNS records, allows attackers to intercept cookie files, bypass Content Security Policy (CSP) security policies, Cross-Origin Resource Sharing (CORS) mechanisms, and gain unauthorized access to protected information.

The vulnerability of the Netlify domain controller implementation is related to improperly configured DNS records. Exploiting this vulnerability allows a malicious actor to intercept cookie files, bypass security mechanisms like CSP, Cross-Origin Resource Sharing CORS, and gain unauthorized acces...

Cross-site Scripting (XSS) - Generic in netlify/netlify-cms

Description netlify-cms-widget-markdown is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Use the application or use the demo https://cms-demo.netlify.com//collections/posts/new 2. Switch to markdown mode in edtior. 3. Insert the xss payload in to the editorbody 4. XSS payload will...

Cloud Lookup (and Bypass)

This module can be useful if you need to test the security of your server and your website behind a solution Cloud based. By discovering the origin IP address of the targeted host. More precisely, this module uses multiple data sources in order ViewDNS.info, DNS enumeration and Censys to collect...

netlify-plugin-cypress (>=1.0.2 <=1.3.3) potentially affected by CVE-2019-10775 via ecstatic (=4.1.2)

ecstatic NPM version =4.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on ecstatic and may be impacted: - netlify-plugin-cypress =1.0.2, =1.3.3 Source cves: CVE-2019-10775 Source advisory: SNYK:JS-ECSTATIC-540354...