CVE-2024-8743

The Bit File Manager for WordPress plugin is vulnerable to Limited JavaScript File Upload in all versions up to and including 6.5.7 due to insufficient file-type validation. Authenticated attackers with Subscriber-level access (and above) can upload .css/.js files, enabling Stored Cross-Site Scri...

CVE-2024-8704

CVE-2024-8704 covers the WordPress plugin “Advanced File Manager” (versions

CVE-2024-7775

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing input validation in the addCustomCode function in versions 2.0 to 2.13.9. This makes i...

Malicious npm Packages Found Using Image Files to Hide Backdoor Code

Cybersecurity researchers have identified two malicious packages on the npm package registry that concealed backdoor code to execute malicious commands sent from a remote server. The packages in question – img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy – have been...

Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

Cybersecurity researchers have uncovered a new suspicious package uploaded to the npm package registry that's designed to drop a remote access trojan RAT on compromised systems. The package in question is glup-debugger-log, which targets users of the gulp toolkit by masquerading as a "logger for...

VulnCheck KEV: CVE-2022-38028

Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions...

Watch Out for 'Latrodectus' - This Malware Could Be In Your Inbox

Threat hunters have discovered a new malware called Latrodectus that has been distributed as part of email phishing campaigns since at least late November 2023. "Latrodectus is an up-and-coming downloader with various sandbox evasion functionality," researchers from Proofpoint and Team Cymru said...

U.S. Dept Of Defense: Full Access to sonarQube and Docker

The vulnerability involved the exposure of sensitive credentials and IP addresses in a JavaScript file. The researcher gained access to the organization's Hub Docker account and Sonar projects, allowing them to identify and assess the issue. The vulnerability was caused by a JavaScript file withi...

Mars: Sensitive Information Exposed at █████

Sensitive information was exposed in a JavaScript file, revealing configuration details, credentials, and file paths related to the deployment of a JavaScript application. This could enable unauthorized access to sensitive data...

Mars: Datadog api keys exposed can be used to do all the read and write access to the instance

A vulnerability was identified where Datadog API keys were exposed in a JavaScript file, which could have enabled unauthorized access to Datadog services. The issue was responsibly disclosed along with a proof-of-concept demonstration...

CVE-2023-45135 XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In org.xwiki.platform:xwiki-platform-web versions 7.2-milestone-2 until 14.10.12 and org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.12 and 15.5-rc-1, it is possible to...

GHSA-4CQV-Q33X-WFXW Yamcs Cross-site Scripting vulnerability

Yamcs 5.8.6 allows XSS issue 1 of 2. It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by selecting Telemetry from...

CVE-2023-45279

Yamcs 5.8.6 allows XSS issue 1 of 2. It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by selecting Telemetry from...

Code injection

The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless...

CVE-2023-39422 Use of Hard-coded Credentials in multiple /irmdata/api/ endpoints

The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless...

CVE-2023-39422 Use of Hard-coded Credentials in multiple /irmdata/api/ endpoints

The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless...

PT-2023-10354 · Unknown · Doc2K Re-Chat

Name of the Vulnerable Software and Affected Versions: Doc2k RE-Chat version 1.0 Description: A vulnerability was found in Doc2k RE-Chat, which has been classified as problematic. This affects an unknown part of the file js on radio-emergency.de /re chat.js. The manipulation leads to cross site...

CVE-2023-30187

An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file...

CVE-2023-30188

Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file...

CVE-2023-30186

A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file...