5 matches found
Malicious code in aes-decode-runner-pro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d889fb0fd8c7bc4564c187d81448427b737ff7fe4b78a7ffe6a23c429b83b93 On require'aes-decode-runner-pro', the entry point index.js immediately invokes pkg.run lines 1-3: const pkg = require"./custom-codec"; pkg.run;, whi...
CVE-2024-21574
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or...
CVE-2024-21574
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or...
CVE-2024-21574
The CVE-2024-21574 issue affects the ComfyUI-Manager extension for ComfyUI, caused by missing validation of the pip field in a POST to /customnode/install. This permits an attacker to trigger a pip install from a user-controlled package or URL, resulting in Remote Code Execution (RCE) on the serv...
CVE-2024-21574
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or...