CVE-2022-23646

CVE-2022-23646 affects Next.js (React framework) versions 10.0.0 through 12.0.x prior to 12.1.0. The issue is UI misrepresentation of critical information when next.config.js defines an images.domains array and the image host in domains allows user-provided SVG; if next.config.js uses a non-defau...

CVE-2022-23646 Improper CSP in Image Optimization API for Next.js

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface UI Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in...

01_basic_webpack (>=1.0.0 <=1.0.8), 0726react (=0.1.1) +12743 more potentially affected by CVE-2022-0613 via urijs (>=1.16.1 <=1.19.7)

urijs NPM version =1.16.1, =1.0.0, =1.0.9, =0.0.1, =0.0.1-beta.0, =1.0.0, =1.0.4, =1.0.1, =0.0.1, =0.1.1, =0.1.0, =0.0.1, =0.0.3 and more Source cves: CVE-2022-0613 Source advisory: OSV:GHSA-GCV8-GH4R-25X6...

Fulusso 跨站脚本漏洞

Fulusso is a single sign-on system developed based on React + Asp.net Core. A security vulnerability exists in Fulusso v1.1, which originates from a DOM-based cross-site scripting XSS vulnerability contained in /BindAccount/SuccessTips.js. An attacker could exploit the vulnerability to inject...

GHSA-CG57-P69R-3M7P Improper file handling in matrix-react-sdk

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

matrix-react-skin (>=0.0.1 <=0.0.2), vector-web (=0.3.0) potentially affected by CVE-2021-32622 via matrix-react-sdk (>=0.0.1 <=0.2.0)

matrix-react-sdk NPM version =0.0.1, =0.0.1, =0.0.2 - vector-web =0.3.0 Source cves: CVE-2021-32622 Source advisory: OSV:GHSA-CG57-P69R-3M7P...

Improper file handling in matrix-react-sdk

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

Code injection

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...

CVE-2022-21721

Next.js (React framework) versions 12.0.0 through before 12.0.9 are affected by a DoS vulnerability in the built-in i18n support when using next start or a custom server. Affected deployments exclude those on Vercel or similar filtered environments. A patch exists: [email protected]. Workaround: block ...

CVE-2022-21721 DOS Vulnerability in next.js

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...

CVE-2022-21721 DOS Vulnerability in next.js

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...

@loopspeed/epubjs-rn (>=0.2.38 <=0.2.77), @muriloneo/epubjs-rn (=0.2.37) +8 more potentially affected by CVE-2021-33040 via epubjs (>=0.2.21 <=0.3.88)

epubjs NPM version =0.2.21, =0.2.38, =0.3.25, =0.2.33, =0.2.5, =0.1.0, =0.0.9, =0.2.37, =0.13.1, =0.13.2 - unext-epub-viewer =1.0.0 Source cves: CVE-2021-33040 Source advisory: OSV:GHSA-C6RP-XVQV-MWMF...

Facebook Hermes 安全漏洞

Facebook Hermes is a JavaScript engine from Facebook Inc. in the United States. The engine is targeted at React Native apps to improve the performance of mobile client apps, but not server-side infrastructures such as browsers & Node.js. A security vulnerability exists in Facebook Hermes, which...

7Rapid Questions: Stephen Donnelly

At Rapid7, there's no shortage of passionate leaders looking to challenge convention and make an impact. Our "7Rapid Questions" series is a way to highlight some of the amazing work taking place behind the scenes, and the exciting growth opportunities available in our global offices. For this...

react-here-map-interactive (>=0.0.1 <=0.9.2) potentially affected by CVE-2021-23700 via merge-deep2 (=3.0.6)

merge-deep2 NPM version =3.0.6 is affected by a known vulnerability. The following packages have a transitive dependency on merge-deep2 and may be impacted: - react-here-map-interactive =0.0.1, =0.9.2 Source cves: CVE-2021-23700 Source advisory: OSV:GHSA-J28Q-P8WW-CP87...

CVE-2021-24045

A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected...

Type confusion

A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected...

Facebook Hermes 安全漏洞

Facebook Hermes is a JavaScript engine from Facebook Inc. in the United States. The engine is targeted at React Native applications to improve the performance of mobile client apps, but not server-side infrastructures such as browsers & Node.js. A security vulnerability exists in Facebook Hermes...

Cross-site scripting in react-bootstrap-table

All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting XSS via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output...

192.168.0.172 (=4.6.1), @attivio/suit (>=0.0.47 <=1.0.7) +76 more potentially affected by CVE-2021-23398 via react-bootstrap-table (>=1.6.2 <=4.3.1)

react-bootstrap-table NPM version =1.6.2, =0.0.47, =1.0.0, =0.3.1, =0.1.1, =1.21.0, =0.15.0-beta-1, =0.0.1, =1.14.3, =1.0.1, =1.0.70 and more Source cves: CVE-2021-23398 Source advisory: OSV:GHSA-2589-W6XF-983R...