Malicious code in gulp-browserify-thin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6ef843cda125c2cda337af64084a57a7a79a488e977a9ec4ca912704ab2059c4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3502 Malicious code in gulp-browserify-thin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6ef843cda125c2cda337af64084a57a7a79a488e977a9ec4ca912704ab2059c4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

boomcatch (>=1.7.1 <=2.0.2), built.io (>=2.0.37 <=2.0.41) +2 more potentially affected by CVE-2021-4229 via ua-parser-js (=0.7.3)

ua-parser-js NPM version =0.7.3 is affected by a known vulnerability. The following packages have a transitive dependency on ua-parser-js and may be impacted: - boomcatch =1.7.1, =2.0.37, =2.0.37, =1.0.62, =1.0.72 Source cves: CVE-2021-4229 Source advisory: OSV:GHSA-PJWM-RVH2-C87W...

brat-frontend-editor (>=0.0.19 <=0.3.42), frontend-editor (>=0.0.1 <=0.0.5) +3 more potentially affected by CVE-2021-20086 via jquery-bbq (>=0.0.1 <=1.0.0)

jquery-bbq NPM version =0.0.1, =0.0.19, =0.0.1, =0.0.1, =2.1.3, =2.2.3-a Source cves: CVE-2021-20086 Source advisory: OSV:GHSA-7W8J-85WM-6XFQ...

Withdrawn: Arbitrary Code Execution in static-eval

All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require'static-eval'; var parse = require'esprima'.parse; var src="function x return...

GHSA-8V27-2FG9-7H62 Withdrawn: Arbitrary Code Execution in static-eval

All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require'static-eval'; var parse = require'esprima'.parse; var src="function x return...

Malicious Package in browserift

Version 16.3.3 of browserift contained malicious code as a preinstall script. The package was a backdoor that opened a connection to a remote server and executed incoming commands on both Unix and Windows machines Recommendation Any computer that has this package installed or running should be...

brocode (>=1.0.0 <=2.0.0-pre4), browserify-lazy-server (>=0.0.0-beta.0 <=0.0.0-beta.1) +10 more potentially affected by CVE-2018-14730 via browserify-hmr (=0.3.7)

browserify-hmr NPM version =0.3.7 is affected by a known vulnerability. The following packages have a transitive dependency on browserify-hmr and may be impacted: - brocode =1.0.0, =0.0.0-beta.0, =0.2.0, =3.5.0, =1.0.0, =0.0.3, =2.3.0, =0.1.0, =1.0.0, =0.1.0, =0.0.11, =0.0.13 Source cves:...

Missing Origin Validation in browserify-hmr

Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not validated...

GHSA-77Q4-M83Q-W76V Missing Origin Validation in browserify-hmr

Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not validated...

Code Sniffing

browserify-hms is vulnerable to code sniffing. The code sniffing is possible because WebSocket server for HMR Hot Module Replacement does not validate the origin of the request, allowing unauthorised users to access HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection fr...

CVE-2018-14730

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/...

CVE-2018-14730

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/...

Code injection

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/...

CVE-2018-14730

The CVE-2018-14730 entry concerns Browserify-HMR. Affected component: the WebSocket server used for Hot Module Replacement. Root cause: origin validation is missing, allowing any origin to receive HMR messages via ws://127.0.0.1:3123/ (or similar), enabling an attacker to access a developer’s cod...

CVE-2018-14730

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/...

Insecure Cryptography

crypto-browserify is generates cryptographically insecure random numbers. The library uses the native JavaScript Math.Random to generate random numbers, that has been proven as not secure...

Potential for Script Injection

Overview Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified. Recommendation Update to version 1.1.1 or later. References - Browserify 4.2.1 Update - GitHub Advisory...

Browserify Node.js Remote Code Execution (CVE-2014-7192)

A remote code execution was discovered in Browserify Node.js. An unauthenticated attacker may use this vulnerability to execute code on the vulnerable server...

Node Browserify RCE vuln &#40;&lt;= 4.2.0&#41;

Hello, Discovered an RCE vuln in Browserify =4.2.0. Maintainer patched upstream just 4 hours after responsible disclosure yesterday, now fixed as of 4.2.1. Summary and POC found here: http://iops.io/blog/browserify-rce-vulnerability/ Cal...