Node.js: Permissions policies can be bypassed via process.mainModule

A vulnerability was discovered in Node.js permission policies that allowed a script to include any non-whitelisted module by calling process.mainModule.require. This could allow an attacker to bypass the limited whitelist and access internal file systems or run child processes. The vulnerability...

Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass

In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing the issue 1096. This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted module...