Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js by Prototype Pollution vulnerabiliy

Summary IBM Cloud Transformation Advisor has addressed the following vulnerability. Node.js lodash module CVE-2019-10744 Vulnerability Details CVEID: CVE-2019-10744 DESCRIPTION: Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked...

Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js vulnerabilities

Summary IBM Cloud Transformation Advisor has addressed the following vulnerabilities in Node.js CVE-2019-9511, CVE-2019-9516, CVE-2019-9512, CVE-2019-9517, CVE-2019-9518, CVE-2019-9515, CVE-2019-9513, CVE-2019-9514 Vulnerability Details CVEID: CVE-2019-9511 DESCRIPTION: Some HTTP/2 implementation...

nodejs:12 bug fix update

The following packages have been upgraded to a later upstream version: nodejs 12.13.1. BZ1776116...

CVE-2019-19771

The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets...

CVE-2019-19771

The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets...

Design/Logic Flaw

The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets...

CVE-2019-19771

The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets...

CVE-2019-19771

CVE-2019-19771 concerns the lodahs package (Node.js) version 0.0.1, a malware trojan masquerading as lodash that installs via mistyped npm package names and exfiltrates cryptocurrency wallets. Multiple sources (Red Hat, NVD, GHSA, OSV, CNVD, CVE lists) describe it as malware affecting Node.js env...

CVE-2019-19729

An issue was discovered in the BSON ObjectID aka bson-objectid package 1.3.0 for Node.js. ObjectID allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects bsontype==ObjectID in the user-input...

Input validation

An issue was discovered in the BSON ObjectID aka bson-objectid package 1.3.0 for Node.js. ObjectID allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects bsontype==ObjectID in the user-input...

CVE-2019-19729

CVE-2019-19729 affects the BSON ObjectID package for Node.js (v1.3.0). The issue arises when ObjectID() accepts user input with an extra property, causing the module to return early if it detects _bsontype==ObjectID, which can allow objects in arbitrary forms to bypass formatting if they include ...

CVE-2019-19729

An issue was discovered in the BSON ObjectID aka bson-objectid package 1.3.0 for Node.js. ObjectID allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects bsontype==ObjectID in the user-input...

Cross-Site Scripting

Overview Versions of serialize-to-js prior to 3.0.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications. Recommendation Upgrade to version 3.0.1 or later. References - GitHub advisory -...

Fedora 30 : 1:libuv (2019-1686ae9b59)

Update to Node.js upstream release 12.13.1 https://nodejs.org/en/blog/release/v12.13.1/ Also fixes an issue where running npm -g was risky on RPM-installed systems. Fedora's packaged NPM will now install global content in /usr/local instead of /usr where it could conflict with RPM-provided...

Cross-Site Scripting

Overview Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications. Recommendation Upgrade to version 2.1.1 or later. References - GitHub advisor...

Cross-site Scripting (XSS)

serialize-to-js is vulnerable to cross-site scripting XSS. The vulnerability exists as the regular expressions, performed on source, were insufficient to deny unsafe characters when the object is used in an environment that is not runned from Node.js...

Node.js third-party modules: [htmr] DOM-based XSS

Hi, I would like to report DOM-based XSS in htmr. It allows attackers to insert malicious JavaScript payload into the page. Module module name: htmr version: 0.8.6 npm page: https://www.npmjs.com/package/htmr Module Description Simple and lightweight Hash: $window.location.hash; 4. Run the server...

CVE-2019-16772

The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting XSS. It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of...

CVE-2019-16772

The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting XSS. It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of...

Cross site scripting

The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting XSS. It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of...