UBUNTU-CVE-2024-48948

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an truncateToN anomaly. This leads to...

ROS-20240918-16

A vulnerability in the deserialize JavaScript library function for Jwcrypto is related to an uncontrolled resource consumption. uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service by transmitting a specially...

Security Bulletin: A vulnerability in JavaScript affects IBM License Metric Tool v9 (CVE-2024-39338).

Summary There is a vulnerability in JavaScript library Axios that is used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relativ...

CVE-2024-41910

A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware contained multiple XSS vulnerabilities in the version of JavaScript used...

Malicious code in @store-sfdcbt-net/cicd_gulp-central-js-lib-v1 (npm)

--- -= Per source details. Do not edit below this line.=-...

-temp-electron-manager-somiibo (=0.0.200), 0.extends.wechat (>=1.0.51 <=1.0.65) +20062 more potentially affected by CVE-2024-37168 via @grpc/grpc-js (>=0.1.0 <=1.8.21)

@grpc/grpc-js NPM version =0.1.0, =1.0.51, =0.1.0, =0.1.0, =5.0.0, =0.0.2, =0.0.1, =1.0.0, =1.0.1, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =0.0.2 - 84447xe5t8 =1.0.0 and more Source cves: CVE-2024-37168 Source advisory: OSV:GHSA-7V5V-9H63-CJ86...

Vulnerable embedded jQuery Version

Summary PIMCore uses the JavaScript library jQuery in version 3.4.1. This version is vulnerable to cross-site-scripting XSS. Details In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it to one of...

GHSA-JMH9-6RJQ-GJH9 Vulnerable embedded jQuery Version

Summary PIMCore uses the JavaScript library jQuery in version 3.4.1. This version is vulnerable to cross-site-scripting XSS. Details In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it to one of...

CycloneDX JavaScript Library 代码问题漏洞

The CycloneDX JavaScript Library is a core feature of the CycloneDX SBOM Standard open source OWASP CycloneDX for JavaScript written in TypeScript. A code issue vulnerability exists in CycloneDX JavaScript Library versions prior to 6.7.1 that stems from XML external entity injection when running...

CVE-2024-34345 @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...

CVE-2024-34345

CVE-2024-34345 affects the CycloneDX JavaScript library (cyclonedx-library) core functionality. The vulnerability arises from XML External Entity (XXE) injections when using the provided XML Validator on arbitrary input in version 6.7.0; it was fixed in 6.7.1. Affected component/file is the XML v...

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. POC js const Spec: Version , Validation: XmlValidator = require'@cyclonedx/cyclonedx-library'; const version = Version.v1dot5; const validator = new XmlValidatorversion; const inpu...

CVE-2024-34345

creationtimestamp| type| source ---|---|--- 2024-05-08 15:13:47+00:00| published-proof-of-concept| https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : CryptoJS vulnerability (USN-6753-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-6753-1 advisory. Thomas Neil James Shadwell discovered that CryptoJS was using an insecure cryptographic default configuration. A remote attack...

CVE-2024-28246 KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...

CVE-2024-28246

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...

CVE-2024-28244 KaTeX's maxExpand bypassed by Unicode sub/superscripts

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. KaTeX supports an option named...

CVE-2024-28244

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. KaTeX supports an option named...

PT-2024-22358

Name of the Vulnerable Software and Affected Versions KaTeX versions prior to 0.16.10 Description KaTeX is a JavaScript library for TeX math rendering on the web. Users who render untrusted mathematical expressions could encounter malicious input using edef that causes a near-infinite loop, despi...

CVE-2023-49583

SAP BTP Security Services Integration Library Node.js @sap/xssec - versions 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...