EUVD-2025-200058

Malicious code in iife-sample npm...

Malicious code in iife-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8e97bde46b5ac29b3ccdf1ff9f4776714cf09769cf0e5fd360ea8e3d0fe6f1d The package iife-sample was found to contain malicious code...

MAL-2025-191511 Malicious code in iife-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8e97bde46b5ac29b3ccdf1ff9f4776714cf09769cf0e5fd360ea8e3d0fe6f1d The package iife-sample was found to contain malicious code...

CVE-2024-44085

ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression IIFE for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883...

CVE-2024-47068

A flaw was found in the Rollup module bundler for JavaScript. Certain versions are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta such as import.meta.url in the cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting XS...

CVE-2024-47068 DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta e.g., import.meta.url in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting...

CVE-2024-45812

Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting XSS in web pages where scriptle...

CVE-2024-44085

ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression IIFE for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883...

CVE-2024-44085

ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression IIFE for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883...

PT-2024-31793 · Vite · Vite

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 3.2.11 Vite versions prior to 4.5.5 Vite versions prior to 5.2.14 Vite versions prior to 5.3.6 Vite versions prior to 5.4.6 Description: A DOM Clobbering vulnerability was discovered in Vite when building scripts to...

Code Injection in storybookjs/telejson

✍️ Description telejson is a library for teleporting rich data to another place. The telejson.reviver which is used to parse string data back to json structure can be abused to execute arbitrary code when the lazyEval option is set to false i.e., disabled. The root cause is the attackers can...

Code Execution through IIFE in node-serialize

Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and provided t...

Code Execution Through IIFE in serialize-to-js

Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression IIFE. Proof of Concept js var payload = "e: function eval'console.logexploited' " var serialize = require'serialize-to-js'; serialize.deserializepayload;...

GHSA-MM62-WXC8-CF7M Code Execution Through IIFE in serialize-to-js

Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression IIFE. Proof of Concept js var payload = "e: function eval'console.logexploited' " var serialize = require'serialize-to-js'; serialize.deserializepayload;...

The use of the Node. js deserialization vulnerability remote code execution-vulnerability warning-the black bar safety net

Vulnerability description Vulnerability name: Exploiting Node.js deserialization bug for Remote Code Execution Vulnerability CVE id: CVE-2017-594 Vulnerability type: code execution Vulnerability description: Untrusted data is passed into the unserializefunction, which leads to we can By pass with...

Code Execution Through IIFE

Overview Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression IIFE. Proof of Concept var payload = "e: function eval'console.logexploited' " var serialize = require'serialize-to-js'; serialize.deserializepayload;...

CVE-2017-5954

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...

CVE-2017-5941

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...

Code Execution through IIFE

Overview Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and...