Malicious code in promptbook-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1223e123a8bd5b550647d800b438b2c5a78f3e10c9d1ab7a6a7cdbd8be465b90 dist/api.js contains a hardcoded URL https://promts.newtechcompany.ru referenced alongside process.env reads and a fetch call at line 44. The package...

EUVD-2022-3959

Malicious code in bioql PyPI...

MAL-2025-44250 Malicious code in fetch-request-hyperion-kardashevscale (npm)

The package fetch-request-hyperion-kardashevscale was found to contain malicious code...

GHSA-67MH-4WV8-2F99 esbuild enables any website to send any requests to the development server and read the response

Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. Details esbuild sets Access-Control-Allow-Origin: header to all requests, including the SSE connection, which allows any websites to send any request to the...

GHSA-2452-6XJ8-JH47 Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by...

PHP SPM 1.0 Code Injection

============================================================================================================================================= | Title : php spm 1.0 php code injection Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 130.0.0 64 bits ...

Accounting Journal Management System 1.0 Code Injection

============================================================================================================================================= | Title : Accounting Journal Management System 1.0 php code injection Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser :...

Activity Log < 2.8.8 - IP Spoofing

Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Run the following code in the web browser and note on the backend that the IP address has been faked...

User Activity Log < 1.6.7 - IP Spoofing

Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. 1. In User Activity Log Settings, enable the setting "Allow Ip Address of users to log." and save...

CVE-2023-23776

An exposure of sensitive information to an unauthorized actor CWE-200 vulnerability in FortiAnalyzer versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4 and 6.4.0 through 6.4.10 may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when ...

Design/Logic Flaw

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources data supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission Versions pri...

CVE-2022-22732

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources data supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission Versions pri...

Stream < 3.9.2 - Subscriber+ Alert Creation

The plugin does not prevent users with little privileges on the site like subscribers from using its alert creation functionality, which may enable them to leak sensitive information. Step 1: Log in as a subscriber Step 2: Get a nonce from...

Slack: Unauthorized access to GovSlack

An unauthorized user could create a workspace on GovSlack by copying and sending a fetch request payload from slack.com to slack-gov.com, which would bypass the disabled option to create a workspace for new users. This could result in unauthorized access to GovSlack...

CVE-2022-31827

MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery SSRF via the function performFetchRequest at HTTPFetcher.php...

CVE-2022-31827

MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery SSRF via the function performFetchRequest at HTTPFetcher.php...

HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion

The plugin does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file To delete the license.txt at the root of the blog: await...

Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS

The plugin does not have any authorisation and CSRF in its bpfwpwelcomeaddcontactpage and bpfwpwelcomesetcontactinformation AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting...

Information Disclosure

firefox is vulnerable to information disclosure. When a Web Extension contains the all-urls permission and performed a fetch request with mode set to same-origin, an attacker will be able to read local files...

CVE-2020-6809

When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-origin', it was possible for the Web Extension to read local files. This vulnerability affects Firefox 74...