EUVD-2022-5930

Malicious code in bioql PyPI...

EUVD-2022-6244

Malicious code in bioql PyPI...

GHSA-5GXC-FXCR-9326 convert-svg-core vulnerable to remote code injection

The package convert-svg-core before 0.6.2 is vulnerable to Remote Code Injection via sending an SVG file containing the payload in an onload attribute. Puppeteer/Chromium used by convert-svg-core will execute any code within that tag, including malicious code. PoC Payload html where the id...

convert-svg-core vulnerable to remote code injection

The package convert-svg-core before 0.6.2 is vulnerable to Remote Code Injection via sending an SVG file containing the payload in an onload attribute. Puppeteer/Chromium used by convert-svg-core will execute any code within that tag, including malicious code. PoC Payload html where the id...

@bolstergroup/botstr.io-set-times (>=0.0.1 <=0.0.7), @bolstergroup/botstr.io-spotify (>=0.0.18 <=0.0.43) +42 more potentially affected by CVE-2022-25759 via convert-svg-core (>=0.3.3 <=0.5.0)

convert-svg-core NPM version =0.3.3, =0.0.1, =0.0.18, =1.0.44, =0.1.0, =0.0.1, =0.1.6, =1.0.0, =0.0.1, =1.0.2, =0.3.0, =0.3.0, =1.0.3, =1.2.1 and more Source cves: CVE-2022-25759 Source advisory: OSV:GHSA-5GXC-FXCR-9326...

CVE-2022-25759

The CVE-2022-25759 issue affects the convert-svg-core npm package, specifically versions before 0.6.2. It enables remote code injection by processing an SVG containing a payload (notably via an onload attribute). Impact is remote code execution when using the vulnerable library in conjunction wit...

CVE-2022-25759

The package convert-svg-core before 0.6.2 are vulnerable to Remote Code Injection via sending an SVG file containing the payload...

Directory traversal in convert-svg-core

The package convert-svg-core before 0.6.4 is vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted SVG file...

@bolstergroup/botstr.io-set-times (>=0.0.1 <=0.0.7), @bolstergroup/botstr.io-spotify (>=0.0.18 <=0.0.43) +42 more potentially affected by CVE-2022-24278 via convert-svg-core (>=0.3.3 <=0.5.0)

convert-svg-core NPM version =0.3.3, =0.0.1, =0.0.18, =1.0.44, =0.1.0, =0.0.1, =0.1.6, =1.0.0, =0.0.1, =1.0.2, =0.3.0, =0.3.0, =1.0.3, =1.2.1 and more Source cves: CVE-2022-24278 Source advisory: OSV:GHSA-5F47-RCG5-9M24...

GHSA-5F47-RCG5-9M24 Directory traversal in convert-svg-core

The package convert-svg-core before 0.6.4 is vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted SVG file...

@bolstergroup/botstr.io-set-times (>=0.0.1 <=0.0.7), @bolstergroup/botstr.io-spotify (>=0.0.18 <=0.0.43) +42 more potentially affected by CVE-2022-24429 via convert-svg-core (>=0.3.3 <=0.5.0)

convert-svg-core NPM version =0.3.3, =0.0.1, =0.0.18, =1.0.44, =0.1.0, =0.0.1, =0.1.6, =1.0.0, =0.0.1, =1.0.2, =0.3.0, =0.3.0, =1.0.3, =1.2.1 and more Source cves: CVE-2022-24429 Source advisory: OSV:GHSA-54PX-MHWV-5V8X...

Code injection via SVG file in convert-svg-core

The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then show the file content as a converted PNG file...

GHSA-54PX-MHWV-5V8X Code injection via SVG file in convert-svg-core

The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then show the file content as a converted PNG file...

CVE-2022-24278

The package convert-svg-core before 0.6.4 are vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted SVG file...

CVE-2022-24278

The package convert-svg-core before 0.6.4 are vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted SVG file...

CVE-2022-24278

The CVE-2022-24278 entry concerns convert-svg-core

CVE-2022-24429

The CVE-2022-24429 entry concerns convert-svg-core before 0.6.3, which is vulnerable to Arbitrary Code Injection via a specially crafted SVG file. Affected component is the SVG-to-PNG rendering flow; root cause involves improper handling/removal of malicious SVG attributes, enabling an attacker t...

CVE-2022-24429

The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then show the file content as a converted PNG file...

Directory Traversal

Overview convert-svg-core is a package that supports converting SVG into another format using headless Chromium. Affected versions of this package are vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted...

@bolstergroup/botstr.io-set-times (>=0.0.1 <=0.0.7), @bolstergroup/botstr.io-spotify (>=0.0.18 <=0.0.43) +42 more potentially affected by CVE-2022-24278 via convert-svg-core (>=0.3.3 <=0.5.0)

convert-svg-core NPM version =0.3.3, =0.0.1, =0.0.18, =1.0.44, =0.1.0, =0.0.1, =0.1.6, =1.0.0, =0.0.1, =1.0.2, =0.3.0, =0.3.0, =1.0.3, =1.2.1 and more Source cves: CVE-2022-24278 Source advisory: SNYK:JS-CONVERTSVGCORE-2859830...