16 matches found
Budibase affected by VM2 Constructor Escape Vulnerability
Impact Previously, budibase used a library called vm2 for code execution inside the Budibase builder and apps, such as the UI below for configuring bindings in the design section. Due to a vulnerability in vm2, any environment that executed the code server side automations and column formulas was...
CVE-2023-25164
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...
GHSA-PC2Q-JCXQ-RJRR Sensitive Information leak via Script File in TinaCMS
Impact Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli = 1.0.0 && 1.0.9 that store sensitive values in process.env var are impacted. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If your Tina-enabled website has sensitive...
GHSA-54QM-37QR-W5WQ Sandbox Breakout / Arbitrary Code Execution in veval
All versions of veval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Sandbox Breakout / Arbitrary Code Execution in veval
All versions of veval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
GHSA-JP99-5H8W-GMXC Sandbox Breakout / Arbitrary Code Execution in @zhaoyao91/eval-in-vm
All versions of @zhaoyao91/eval-in-vm are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Sandbox Breakout / Arbitrary Code Execution in @zhaoyao91/eval-in-vm
All versions of @zhaoyao91/eval-in-vm are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
GHSA-3GPC-W23C-W59W Sandbox Breakout / Arbitrary Code Execution in pitboss-ng
All versions of pitboss-ng are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Sandbox Breakout / Arbitrary Code Execution in sandbox
All versions of sandbox are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Sandbox Breakout / Arbitrary Code Execution in lighter-vm
All versions of lighter-vm are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
GHSA-C3HQ-7MXH-MQXF Sandbox Breakout / Arbitrary Code Execution in lighter-vm
All versions of lighter-vm are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Malicious Package in evil-package
All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Recommendation Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise...
Sandbox Breakout / Arbitrary Code Execution
Overview All versions of localeval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through constructor.constructor. This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Sandbox Breakout / Arbitrary Code Execution
Overview All versions of lighter-vm are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Malicious Package
Overview All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Recommendation Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise. References...
math.js remote code execution vulnerability
This article explains in short how we found, exploited and reported a remote code execution RCE vulnerability. It is meant to be a guide to finding vulnerabilities, as well as reporting them in a responsible manner. Step one: discovery While playing around with a wrapper of the math.js API...