Malicious code in vader-pack (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3f1011ad5820edf4133971eeebc94ab36b715c17b0f12059f941506ec89ec64e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-7C2Q-5QMR-V76Q DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998

Impact ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods or more specifically...

CVE-2023-41898

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential...

CVE-2023-41899

Home assistant is an open source home automation. In affected versions the hassio.addonstdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service e.g.: through GHSA-h2jp-7grc-9xpp may be able to invoke any Supervisor REST API endpoints with a PO...

CVE-2023-44385

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this...

Code injection

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential...

Server side request forgery (ssrf)

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this...

CVE-2023-41899

Home Assistant Core vulnerability CVE-2023-41899: a partial SSRF in the hassio.addon_stdin service allows an attacker who can call that service (e.g., via GHSA-h2jp-7grc-9xpp) to invoke any Supervisor REST API endpoints through a POST request. An exploited attacker can control the data dictionary...

CVE-2023-41899 Partial Server-Side Request Forgery in Home Assistant Core

Home assistant is an open source home automation. In affected versions the hassio.addonstdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service e.g.: through GHSA-h2jp-7grc-9xpp may be able to invoke any Supervisor REST API endpoints with a PO...

CVE-2023-41899 Partial Server-Side Request Forgery in Home Assistant Core

Home assistant is an open source home automation. In affected versions the hassio.addonstdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service e.g.: through GHSA-h2jp-7grc-9xpp may be able to invoke any Supervisor REST API endpoints with a PO...

CVE-2023-41899 Partial Server-Side Request Forgery in Home Assistant Core

Home assistant is an open source home automation. In affected versions the hassio.addonstdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service e.g.: through GHSA-h2jp-7grc-9xpp may be able to invoke any Supervisor REST API endpoints with a PO...

CVE-2023-41898 Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential...

CVE-2023-44385 Client-Side Request Forgery in Home Assistant iOS/macOS native Apps

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this...

CVE-2023-44385 Client-Side Request Forgery in Home Assistant iOS/macOS native Apps

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this...

CVE-2023-44385 Client-Side Request Forgery in Home Assistant iOS/macOS native Apps

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this...

GHSA-J87X-J6MH-MV8V

creationtimestamp| type| source ---|---|--- 2023-10-16 12:20:37+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/9208 2023-10-18 05:13:30+00:00| published-proof-of-concept| https://t.me/apsecurity/196 2023-10-18 05:13:30+00:00| published-proof-of-concept|...

CVE-2023-43662

ShokoServer is a media server which specializes in organizing anime. In affected versions the /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way...

Authentication flaw

ShokoServer is a media server which specializes in organizing anime. In affected versions the /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way...

CVE-2023-43662 Arbitrary file read vulnerability in Shoko Server

ShokoServer is a media server which specializes in organizing anime. In affected versions the /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way...

CVE-2023-43662

ShokoServer exposes the /api/Image/WithPath endpoint without authentication in affected versions, passing serverImagePath to System.IO.File.OpenRead without sanitization, enabling arbitrary file reads via a path-traversal/LFI pattern. This can leak sensitive server files, particularly when the Wi...