Prototype Pollution

assign-deep is vulnerable to prototype pollution. It does not validate the Object.keys before assigning it to the target object, therefore allowing an attacker to inject properties and objects into existing construct prototype...

Prototype Pollution

mixin-deep is vulnerable to prototype pollution. The vulnerability exists as properties of Object.prototype could be added through a constructor payload...

Prototype Pollution

Overview deeply is an a toolkit for deep structure manipulations, provides deep merge/clone functionality out of the box, and exposes hooks and custom adapters for more control and greater flexibility. Affected versions of this package are vulnerable to Prototype Pollution. The function assign-de...

Prototype Pollution

Overview Versions of assign-deep prior to 1.0.1 are vulnerable to Prototype Pollution. The assign function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects...

Prototype Pollution

Overview Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all...

Feds: Cyberattack on NASA's JPL Threatened Mission-Control Data

NASA’s Jet Propulsion Laboratory JPL may know how to send delicate equipment to Mars, but basic cybersecurity best practices appear to pose an issue for it. A comprehensive federal review has detailed an April 2018 security incident that compromised mission systems – stemming from multiple IT...

Prototype Pollution

Overview mixin-deep is a package that deeply mixes the properties of objects into the first object. Affected versions of this package are vulnerable to Prototype Pollution. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload...

clam-util (>=0.0.5 <=0.1.20), generator-clam (>=0.1.68 <=0.1.86) +2 more potentially affected by CVE-2019-10746 via mixin-deep (=1.0.1)

mixin-deep NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on mixin-deep and may be impacted: - clam-util =0.0.5, =0.1.68, =0.3.0, =0.4.12 - grunt-formatdata =0.1.1 Source cves: CVE-2019-10746 Source advisory: SNYK:JS-MIXINDEEP-450212...

ts-node-server (>=1.1.0 <=2.0.0) potentially affected by CVE-2019-10746 via mixin-deep (=2.0.0)

mixin-deep NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on mixin-deep and may be impacted: - ts-node-server =1.1.0, =2.0.0 Source cves: CVE-2019-10746 Source advisory: SNYK:JS-MIXINDEEP-450212...

@peak-stone/vue-admin (>=1.0.1 <=2.1.1) potentially affected by CVE-2019-10745 via assign-deep (=1.0.0)

assign-deep NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on assign-deep and may be impacted: - @peak-stone/vue-admin =1.0.1, =2.1.1 Source cves: CVE-2019-10745 Source advisory: SNYK:JS-ASSIGNDEEP-450211...

@careteam/mfe-init (=0.0.8), @topfeed/topfeed (>=0.0.30 <=0.0.44) +69 more potentially affected by CVE-2019-10745 via assign-deep (>=0.1.2 <=0.4.7)

assign-deep NPM version =0.1.2, =0.0.30, =0.0.1, =1.0.0, =0.0.1, =0.1.0, =1.0.0, =1.2.0, =0.0.1, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =1.0.0, =2.3.0 and more Source cves: CVE-2019-10745 Source advisory: SNYK:JS-ASSIGNDEEP-450211...

Prototype Pollution

Overview assign-deep is a library for deeply assigning the values of all enumerable-own-properties and symbols from one or more source objects to a target object. Affected versions of this package are vulnerable to Prototype Pollution. The function assign-deep could be tricked into adding or...

Ewon Flexy IoT Router. A Deep dive

First off I would like to thank the techs at PTP for their insights and help during this process. I know what I know, and I don't know what I don’t know, so I asked for help sometimes. I've learned a lot from this project e.g. how XOR works, and how to use IDA to analyse ARM binaries better, so I...

Check Point Response to CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 - TCP SACK PANIC Linux Kernel vulnerabilities

Cause CVE-2019-11477: The Linux kernel is vulnerable to an integer overflow in the 16-bit width of TCPSKBCBskb- tcpgsosegs. A remote attacker could exploit this to crash the system and create a Denial Of Service. CVE-2019-11478: The Linux kernel is vulnerable to a flaw that allows attackers to se...

Quarantyne - Modern Web Firewall: Stop Account Takeovers, Weak Passwords, Cloud IPs, DoS Attacks, Disposable Emails

Automated web security made simple Quarantyne is a reverse-proxy that protects web applications and APIs from fraudulent behavior, misuse, bots and cyber-attacks in real-time. Requirements Java 8 Presentation Quarantyne is a reverse-proxy written in java. It fronts a web application or API and...

A week in security (May 6 – 12)

Last week on Labs, we discussed what to do when you discover a data breach, how 5G could impact cybersecurity strategy, the top six takeaways for user privacy, vulnerabilities in financial mobile apps that put consumers and businesses at risk, and in our series about vital infrastructure, we...

Prototype Pollution

Overview All versions of smart-extend are vulnerable to Prototype Pollution. The deep function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider usi...

Partner Perspectives: Better Together: Blue Hexagon Deep Learning-Powered Network Security and Carbon Black Endpoint Security

Tom Guerrette is the Director of Solutions Architecture for Blue Hexagon. It’s no surprise to any of us in the security industry that the threat landscape has transformed in the last 5 years in both speed and volume of attacks. According to The AV-Test Security Report, in 2017, 121.6 million new...

Vuls - Vulnerability Scanner For Linux/FreeBSD, Agentless, Written In Go

Vulnerability scanner for Linux/FreeBSD, agentless, written in golang. Twitter: @vulsen DEMO Abstract For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in production environment, it is common for...

How the Dark Web Data Bazaar Fuels Enterprise Attacks

It seems every aspect of our lives is available to be found somewhere on the internet. And the information available isn’t simply embarrassing browsing histories but ranges from our medical histories to the logon credentials we use to access many of our online services. This is certainly a privac...