EUVD-2022-1375

Malicious code in bioql PyPI...

@cisdi/code-editor (>=3.0.0 <=3.3.10), @cisdi/ui-engine-charts (>=3.2.0 <=3.2.4) +32 more potentially affected by CVE-2021-23771 via notevil (>=0.8.1 <=1.3.3)

notevil NPM version =0.8.1, =3.0.0, =3.2.0, =2.9.0, =1.0.1, =1.0.0, =1.0.0, =0.10.0, =1.5.24, =5.0.0, =3.0.0, =5.2.0, =0.0.1, =0.0.50 and more Source cves: CVE-2021-23771 Source advisory: OSV:GHSA-8G4M-CJM2-96WQ...

GHSA-8G4M-CJM2-96WQ Sandbox escape in notevil and argencoders-notevil

This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. Note: This...

CVE-2021-23771

This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. Note: This...

CVE-2021-23771

CVE-2021-23771 is a sandbox-escape prototype-pollution issue affecting the npm packages notevil and argencoders-notevil. The root cause is failure to restrict access to the main context, enabling an attacker to add or modify properties on Object.prototype. Public records (NVD/SNYK/Veracode/GHSA) ...

notevil 注入漏洞

notevil is an open source npm package. notevil suffers from an injection vulnerability that stems from a failure to restrict access to the main context, which allows an attacker to add or modify the prototype of an object. It is susceptible to sandbox escapes, which can lead to prototype...

@cisdi/code-editor (>=3.0.0 <=3.3.10), @cisdi/ui-engine-charts (>=3.2.0 <=3.2.4) +32 more potentially affected by CVE-2021-23771 via notevil (>=0.8.1 <=1.3.3)

notevil NPM version =0.8.1, =3.0.0, =3.2.0, =2.9.0, =1.0.1, =1.0.0, =1.0.0, =0.10.0, =1.5.24, =5.0.0, =3.0.0, =5.2.0, =0.0.1, =0.0.50 and more Source cves: CVE-2021-23771 Source advisory: SNYK:JS-NOTEVIL-2385946...

Sandbox Bypass

Overview notevil is a module uses esprima to parse the javascript AST then walks each node and evaluates the result Note:This package has been deprecated. Affected versions of this package are vulnerable to Sandbox Bypass. It is vulnerable to Sandbox Escape leading to Prototype pollution. The...

OnionSearch - A Script That Scrapes Urls On Different .Onion Search Engines

OnionSearch is a Python3 script that scrapes urls on different ".onion" search engines. Prerequisite Python 3  Currently supported Search engines ahmia darksearchio onionland notevil darksearchenginer phobos onionsearchserver torgle onionsearchengine tordex tor66 tormax haystack multivac evosear...

Sandbox Breakout / Prototype Pollution in notevil

Versions of notevil prior to 1.3.3 are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload tryab;catchee.constructor.constructor'return...

ezs (>=5.5.0 <=9.3.1), hoppel (=0.4.0) +3 more potentially affected by unknown CVE via notevil (>=0.8.1 <=1.3.1)

notevil NPM version =0.8.1, =5.5.0, =1.0.0, =0.1.0, =0.2.0 - piedpiper-middle-out =5.8.1 Source cves: unknown CVE Source advisory: OSV:GHSA-9GXR-RHX6-4JGV...

GHSA-9GXR-RHX6-4JGV Sandbox Breakout / Prototype Pollution in notevil

Versions of notevil prior to 1.3.3 are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload tryab;catchee.constructor.constructor'return...

GHSA-7R5F-7QR4-PF6Q Sandbox Breakout / Arbitrary Code Execution in notevil

Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading t...

ezs (>=5.5.0 <=9.3.1), hoppel (=0.4.0) +3 more potentially affected by unknown CVE via notevil (>=0.8.1 <=1.3.1)

notevil NPM version =0.8.1, =5.5.0, =1.0.0, =0.1.0, =0.2.0 - piedpiper-middle-out =5.8.1 Source cves: unknown CVE Source advisory: OSV:GHSA-7R5F-7QR4-PF6Q...

Sandbox Breakout / Arbitrary Code Execution in notevil

Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading t...

Prototype Pollution

notevil is vulnerable to prototype pollution. The vulnerability exists as it failed to check if the value of the prototype header was tampered...

Node.js third-party modules: [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser

I would like to report a sandbox escape / code injection vulnerability in notevil. It allows an attacker to escape the intended sandbox and execute javascript code in the global context, meaning that he/she can achieve arbitrary command execution RCE when running in nodejs and cross site scriptin...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor...