nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads

A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which allows an attacker to execute arbitrary code through crafted payloads. The highest threat from this...

nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option

A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system e.g. browser or server when the template is compiled with the...

nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution

A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to...

CBL Mariner 2.0 Security Update: nodejs (CVE-2022-43548)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-43548 advisory. - A OS Command Injection vulnerability exists in Node.js versions 14.21.1, 16.18.1, 18.12.1, 19.0.1 due to an...

CBL Mariner 2.0 Security Update: nodejs (CVE-2022-32215)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-32215 advisory. - The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle...

CBL Mariner 2.0 Security Update: nodejs (CVE-2022-32214)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-32214 advisory. - The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not strictly use the CRL...

CVE-2023-28155

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect HTTP to HTTPS, or HTTPS to HTTP. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

CVE-2023-28155 vulnerabilities

Vulnerabilities for packages: opensearch-dashboards, kubeflow-pipelines, opensearch-dashboards-fips...

SUSE-SU-2023:0738-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to NodeJS 18.14.2 LTS: - CVE-2023-23918: Fixed permissions policies that could have been bypassed via process.mainModule bsc1208481. - CVE-2023-23919: Fixed OpenSSL error handling issues in nodejs crypto library bsc1208483. -...

DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit

Adversary-in-the-middle AiTM phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication MFA through reverse-proxy functionality. DEV-1101 is an actor tracked by Microso...

SUSE-SU-2023:0715-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to NodeJS 18.14.2 LTS: - CVE-2023-23918: Fixed permissions policies that could have been bypassed via process.mainModule bsc1208481. - CVE-2023-23919: Fixed OpenSSL error handling issues in nodejs crypto library bsc1208483. -...

SUSE-SU-2023:0673-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: Update to LTS version 16.19.1: - CVE-2023-23918: Fixed permissions policies that could have been bypassed via process.mainModule bsc1208481. - CVE-2023-23919: Fixed OpenSSL error handling issues in nodejs crypto library bsc1208483. -...

Critical Photon OS Security Update - PHSA-2023-3.0-0545

Updates of 'containerd', 'nodejs', 'haproxy', 'curl' packages of Photon OS have been released...

AZL-13827 CVE-2022-4904 affecting package nodejs for versions less than 16.20.1-2

A flaw was found in the c-ares package. The aressetsortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity...

SUSE-SU-2023:0609-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: Update to LTS version 16.19.1: - CVE-2023-23918: Fixed permissions policies that could have been bypassed via process.mainModule bsc1208481. - CVE-2023-23919: Fixed OpenSSL error handling issues in nodejs crypto library bsc1208483. -...

SUSE-SU-2023:0608-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: Update to LTS version 16.19.1: - CVE-2023-23918: Fixed permissions policies that could have been bypassed via process.mainModule bsc1208481. - CVE-2023-23919: Fixed OpenSSL error handling issues in nodejs crypto library bsc1208483. -...

Adapter: Open redirect vulnerability in checkSSO

A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function...

Internet Bug Bounty: Inadequate Encryption Strength in nodejs-current reads openssl.cnf from /home/iojs/build/... upon startup on MacOS

A cryptographic vulnerability was found in nodejs-current that allowed openssl.cnf to be read from an insecure location upon startup on MacOS, potentially exposing encryption keys or certificates...

DLA-3344-1 nodejs - security update

Bulletin has no description...

ALPINE-CVE-2023-23920

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...