Malicious code in @taxify/eslint-config-react-native (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 5cff605dafce45695b36c5a3ca744b5187bab414e45e390d8e4ac966f6088573 The OpenSSF Package Analysis project identified '@taxify/eslint-config-react-native' @ 9.999.0 npm as malicious. It is considered malicious...

MAL-2024-7898 Malicious code in @taxify/eslint-config-react-native (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 5cff605dafce45695b36c5a3ca744b5187bab414e45e390d8e4ac966f6088573 The OpenSSF Package Analysis project identified '@taxify/eslint-config-react-native' @ 9.999.0 npm as malicious. It is considered malicious...

matrix-react-skin (>=0.0.1 <=0.0.2), vector-web (=0.3.0) potentially affected by CVE-2024-42347 via matrix-react-sdk (>=0.0.1 <=0.2.0)

matrix-react-sdk NPM version =0.0.1, =0.0.1, =0.0.2 - vector-web =0.3.0 Source cves: CVE-2024-42347 Source advisory: OSV:GHSA-F83W-WQHC-CFP4...

Matrix SDK for React's URL preview setting for a room is controllable by the homeserver

Impact A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. Even if the CVSS score would be 4.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N the...

GHSA-F83W-WQHC-CFP4 Matrix SDK for React's URL preview setting for a room is controllable by the homeserver

Impact A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. Even if the CVSS score would be 4.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N the...

Stored Cross Site Scripting (XSS)

aim is vulnerable to a Stored Cross Site Scripting XSS. The vulnerability is due to improper input neutralization in the logs-tab, which uses dangerouslySetInnerHTML in React. The vulnerability allows an attacker to inject malicious scripts into the logs...

Aim Stored Cross-site Scripting Vulnerability

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

GHSA-P9F2-JG9W-CX69 Aim Stored Cross-site Scripting Vulnerability

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

CVE-2024-6578

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

CVE-2024-6578 Stored XSS in aimhubio/aim

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

CVE-2024-6578

Stored XSS in aimhubio/aim 3.19.3 affects the logs-tab rendering, where logs are output with React dangerouslySetInnerHTML, allowing injected scripts to execute when a user views logs. Root cause: improper neutralization of input during web page generation. Impact: potential script execution in a...

CVE-2024-6578 Stored XSS in aimhubio/aim

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

Malicious code in next-react-notify (npm)

The package executes multiple malicious commands to download and execute further payloads. The tactics used are characteristic of an ongoing North Korean campaign...

CVE-2024-40631

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-40631

The CVE-2024-40631 vulnerability affects Plate’s media embedding in editors using MediaEmbedElement with custom urlParsers in @udecode/plate-media. Affected code paths allow un-sanitised URLs (javascript:, data:, vbscript:) to reach iframe sources via the embed property from useMediaState, or the...

CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-39903

Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI...

CVE-2024-39903 Local File Inclusion in Solara

Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI...