RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2023:0612)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0612 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

Huawei EulerOS: Security Advisory for sssd (EulerOS-SA-2023-1295)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Design/Logic Flaw

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources data supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission Versions pri...

CVE-2022-22732

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources data supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission Versions pri...

Malicious Package

Overview maw-fetch is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

GSD-2023-1000604 ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value

ACPI: processor: idle: Check acpifetchacpidev return value This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v6.0.16 by commit...

GSD-2023-1000247 tipc: re-fetch skb cb after tipc_msg_validate

tipc: re-fetch skb cb after tipcmsgvalidate This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.10.158 by commit...

Stream < 3.9.2 - Subscriber+ Alert Creation

The plugin does not prevent users with little privileges on the site like subscribers from using its alert creation functionality, which may enable them to leak sensitive information. Step 1: Log in as a subscriber Step 2: Get a nonce from...

The gotcha of unhandled promise rejections

Let's say you wanted to display a bunch of chapters on the page, and for whatever reason, the API only gives you a chapter at a time. You could do this: async function showChapterschapterURLs for const url of chapterURLs const response = await fetchurl; const chapterData = await response.json;...

CVE-2022-4710

The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.59, due to due to insufficient input sanitization and output escaping of the 'wprajaxsearchlinktarget' parameter in the 'datafetch' function. This makes it possibl...

CVE-2022-4710

The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.59, due to due to insufficient input sanitization and output escaping of the 'wprajaxsearchlinktarget' parameter in the 'datafetch' function. This makes it possibl...

MAL-2023-585 Malicious code in maw-fetch (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2e087ddeaa6fa26778dc4e7f70a99bcca922ebb491a7166039a58392e118e5f0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in maw-fetch (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2e087ddeaa6fa26778dc4e7f70a99bcca922ebb491a7166039a58392e118e5f0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2022-41919

A Cross-site request forgery CSRF vulnerability was found in fastify due to improper handling of incorrect Content-Types. This flaw allows an attacker to use an incorrect 'Content-Type' to bypass checks to allow fetch requests that could be used to invoke routes that only accept application/json...

node-fetch: exposure of sensitive information to an unauthorized actor

A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...

RHEL 8 : nodejs:14 (RHSA-2023:0050)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0050 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

Moderate: nodejs:14 security, bug fix, and enhancement update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 14.21.1, nodejs-nodemon 2.0.20. Security Fixes: minimist: prototype pollution...

PT-2023-10812

Name of the Vulnerable Software and Affected Versions roxlukas LMeve versions up to 0.1.58 Description A critical issue affects the function insert log of the file wwwroot/ccpwgl/proxy.php. The manipulation of the argument fetch leads to SQL injection. Recommendations For versions up to 0.1.58,...

User Verification < 1.0.94 - Authentication Bypass

The plugin was affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the website...

DEBIAN-CVE-2022-45410

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR...