MAL-2022-4476 Malicious code in mapbox-studio-pro-fonts (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fe184c4c51f61f287036c394d47e1acee2fa5b397efde30a69df40abfe963bfa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in mapbox-studio-default-fonts (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2f89940d67ecc912beb4510d0c28e80d664a00e725782dbeeb3c20882e75df42 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in mapbox-studio-pro-fonts (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fe184c4c51f61f287036c394d47e1acee2fa5b397efde30a69df40abfe963bfa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4475 Malicious code in mapbox-studio-default-fonts (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2f89940d67ecc912beb4510d0c28e80d664a00e725782dbeeb3c20882e75df42 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4474 Malicious code in mapbox-search-ios (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1fa80ab88984ef006ede845f1afebc2564f993e00e5a80d244ee39b5188dd3bb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in mapbox-search-ios (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1fa80ab88984ef006ede845f1afebc2564f993e00e5a80d244ee39b5188dd3bb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Mapbox: Reflected XSS via XML Namespace URI on https://go.mapbox.com/index.php/soap/

On January 22, 2020 user @h4ck3d reported a reflected XSS vulnerability via an XML Namespace URI on go.mapbox.com. Using the information provided by the researcher, we deployed a patch to this page on February 11, 2020...

Mapbox: Stored XSS | api.mapbox.com | IE 11 | Styles name

On December 24, 2019, user @renekroka reported a stored XSS injection vulnerability on api.mapbox.com that affected users in Internet Explorer 11. An attacker could store XSS injections on Mapbox servers, and then exploit them in IE11 due to JSON responses not including the X-Content-Type-Options...

sheetsee (>=0.0.1 <=0.0.3), sheetsee-maps (>=0.0.0 <=0.2.4) potentially affected by CVE-2017-1000042 via mapbox.js (=1.3.1)

mapbox.js NPM version =1.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on mapbox.js and may be impacted: - sheetsee =0.0.1, =0.0.0, =0.2.4 Source cves: CVE-2017-1000042 Source advisory: OSV:GHSA-QR28-7J6P-9HMV...

Mapbox: Test-scripts for postgis in mason-repository using unsafe unzip of content from unclaimed bucket creates potential RCE-issues

On March 25, 2018 @fransrosen reported a vulnerability to Mapbox. An AWS S3 bucket previously owned by Mapbox was reclaimed by this researcher, which is possible due to the global namespacing of S3 buckets. This bucket was still actively referenced in a test script. The bucket takeover therefore...

Mapbox: Admin Panel Accessed (OAuth Bypassed )

On December 4, 2017, @aneeskhan reported an authentication bypass vulnerability on a Mapbox internal portal. The vulnerability allowed them to bypass OAuth authentication and generate a valid session for the site. This session was then used by @aneeskhan to access information on the portal which...

Mapbox.js Cross-Site Scripting Vulnerability

Mapbox.js is a U.S. Mapbox company's open source for rapid development of interactive map library . A cross-site scripting vulnerability exists in Mapbox.js version 1.x before 1.6.5 and version 2.x before 2.1.7. A remote attacker can exploit this vulnerability to inject script into the 'attribute...

Mapbox.js cross-site scripting vulnerability (CNVD-2017-27716)

Mapbox.js is a U.S. Mapbox company's open source for rapid development of interactive map library . A cross-site scripting vulnerability exists in Mapbox.js version 1.x before 1.6.6 and version 2.x before 2.2.4. A remote attacker can exploit this vulnerability to inject scripted content into the...

CVE-2017-1000042

Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name...

Mapbox: null pointer dereference and segfault in tile-count-merge

This crash was triggered with 642f773 while fuzzing tile-count-merge with AFL on Debian 8 x64. ./tile-count-merge -o /dev/null test000 ASAN:SIGSEGV ================================================================= ==10201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 pc...

Mapbox: Node modules path disclosure due to lack of error handling

On May 2nd, 2017 @apapedulimu reported an issue where changing a POST request to a GET request on one of our integration servers returned a full error stack trace rather than an HTTP 404 error. The full error stack trace revealed the full path of the Node.js modules directory on the integration...

Mapbox: Open Aws Amazon S3 Buckets

Security researcher @saadahmed reported two Mapbox owned S3 buckets with public-read ACL. One of these, mapbox-js, was public-read by design, the other however was not and subsequently was switched to a private ACL. Thank you again @saadahmed, we appreciate you keeping Mapbox security in mind...

Mapbox Dev Preview - Dangerous filesystem permissions, Exported components, External URLs vulnerabilities

HackApp vulnerability scanner discovered that application Mapbox Dev Preview published at the 'play' market has multiple vulnerabilities...

Mapbox: Public access to objects in AWS S3 bucket

On February 1st, 2017, Sahilsaif discovered an S3 bucket belonging to Mapbox which contained publicly accessible objects which should have been private. Using Sahilsaif's report, Mapbox mitigated the report by making the affected objects private...

Mapbox: Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager

Security researcher @mishre reported that the Mapbox Android SDK was using the Broadcast Receiver for location services requests and recommended that the switch be made to use the Local Broadcast Manager. The Local Broadcast Manager offers more granular control of broadcast permissions, as well a...