Fintech Giant Finastra Investigating Data Breach

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world's top 50 banks, notified customers of the security incident...

MAL-2022-3041 Malicious code in finastra.design (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dabfa8dadfd1469373fbfe163e321dbc0b021ab5d722d1e72114e677261cec6b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in finastra.design (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dabfa8dadfd1469373fbfe163e321dbc0b021ab5d722d1e72114e677261cec6b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3039 Malicious code in finastra-design-system (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 98f06ed0cb2ce7de70bb48dced08c5541ad79dad1c3d21a604eed4f010314fcf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in finastra-nodejs-libs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4e6a9bcca9d10ce688e00eb4a63926581e73d476c15bb88fff42f9fb30a39f25 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in finastra-design-system (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 98f06ed0cb2ce7de70bb48dced08c5541ad79dad1c3d21a604eed4f010314fcf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3040 Malicious code in finastra-nodejs-libs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4e6a9bcca9d10ce688e00eb4a63926581e73d476c15bb88fff42f9fb30a39f25 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-77MV-4RG7-R8QV Potential Sensitive Cookie Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy

The nestjs-proxy library did not have a way to block sensitive cookies e.g. session cookies from being forwarded to backend services configured by the application developer. This could have led to sensitive cookies being inadvertently exposed to such services that should not see them. The patched...

Information Disclosure

@finastra/nestjs-proxy is vulnerable to information disclosure. The vulnerability exists in the ProxyService function due to a lack of sanitization in the authorization header which allows an unauthorized user to access sensitive information in the system...

CVE-2022-31070

NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to block sensitive cookies e.g. session cookies from being forwarded to backend services configured by the application developer. This could have led to sensitive cooki...

CVE-2022-31070

The CVE-2022-31070 issue affects the NestJS Proxy library. Prior to 0.7.0, nestjs-proxy could forward sensitive cookies (e.g., session cookies) to backend services, risking exposure. The fix is in @finastra/nestjs-proxy v0.7.0, which blocks cookies by default; an allowedCookies whitelist can be c...

Cross Site Scripting (XSS) in @finastra/ssr-pages

A cross site scripting XSS issue can occur when providing untrusted input to the redirect.link property as an argument to the buildMessagePageOptions function. References - https://github.com/Finastra/ssr-pages/pull/2 -...

feling87-nodejs-libs (>=0.0.1 <=0.0.3) potentially affected by CVE-2022-24717 via @finastra/ssr-pages (=0.1.3)

@finastra/ssr-pages NPM version =0.1.3 is affected by a known vulnerability. The following packages have a transitive dependency on @finastra/ssr-pages and may be impacted: - feling87-nodejs-libs =0.0.1, =0.0.3 Source cves: CVE-2022-24717 Source advisory: OSV:GHSA-7F63-H6G3-7CWM...

feling87-nodejs-libs (>=0.0.1 <=0.0.3) potentially affected by CVE-2022-24718 via @finastra/ssr-pages (=0.1.3)

@finastra/ssr-pages NPM version =0.1.3 is affected by a known vulnerability. The following packages have a transitive dependency on @finastra/ssr-pages and may be impacted: - feling87-nodejs-libs =0.0.1, =0.0.3 Source cves: CVE-2022-24718 Source advisory: OSV:GHSA-W6CX-QG2Q-RVQ8...

Path Traversal in @finastra/ssr-pages

A path traversal issue can occur when providing untrusted input to the svg property as an argument to the buildMessagePageOptions function. References - https://github.com/Finastra/ssr-pages/pull/1 - https://github.com/Finastra/ssr-pages/pull/1/commits/c3e4c563384ae3ba3892f37dd190218577620780...

GHSA-W6CX-QG2Q-RVQ8 Path Traversal in @finastra/ssr-pages

A path traversal issue can occur when providing untrusted input to the svg property as an argument to the buildMessagePageOptions function. References - https://github.com/Finastra/ssr-pages/pull/1 - https://github.com/Finastra/ssr-pages/pull/1/commits/c3e4c563384ae3ba3892f37dd190218577620780...

Security Breach Disrupts Fintech Firm Finastra

Finastra, a company that provides a range of technology solutions to banks worldwide, said today it was shutting down key systems in response to a security breach discovered this morning. The company's public statement and notice to customers does not mention the cause of the outage, but their...