Improper Authentication

Overview react-adal is an Azure Active Directory Library ADAL support for ReactJS. Affected versions of this package are vulnerable to Improper Authentication. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly...

@joshmccall/atomic-stories (>=0.0.0-semantically-released <=1.9.5), abmcontent (=0.1.0) +3 more potentially affected by CVE-2020-7787 via react-adal (>=0.3.15 <=0.4.24)

react-adal NPM version =0.3.15, =0.0.0-semantically-released, =0.1.0, =0.1.3 - widgettestcomponent =0.1.0 Source cves: CVE-2020-7787 Source advisory: SNYK:JS-REACTADAL-1018907...

CVE-2020-1914

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable i...

CVE-2020-1914

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable i...

Design/Logic Flaw

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable i...

CVE-2020-1914

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable i...

CVE-2020-1914

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable i...

CVE-2020-1914

The CVE-2020-1914 entry describes a logic vulnerability in Facebook Hermes related to the SaveGeneratorLong instruction. Before the commit b2021df620824627f5a8c96615edbd1eb7fdddfc, attackers could theoretically read out of bounds or execute arbitrary code via crafted JavaScript, but exploitation ...

Cross-site Scripting (XSS)

react-native-webview is vulnerable to cross-site scripting XSS. The vulnerability exists through the lack of policy enforcement that allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. The vulnerability exists on all applications running on systems with an Andro...

GHSA-36J3-XXF7-4PQG Android WebView Universal Cross-site Scripting

A universal cross-site scripting UXSS vulnerability, CVE-2020-6506 https://crbug.com/1083819, has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps whic...

Android WebView Universal Cross-site Scripting

A universal cross-site scripting UXSS vulnerability, CVE-2020-6506 https://crbug.com/1083819, has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps whic...

Universal XSS in Android WebView

Overview A universal cross-site scripting UXSS vulnerability, CVE-2020-6506 https://crbug.com/1083819, has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native...

Cross-site Scripting (XSS)

Overview react-native-webview is a React Native WebView component for iOS, Android, macOS, and Windows Affected versions of this package are vulnerable to Cross-site Scripting XSS. A universal cross-site scripting UXSS vulnerability has been identified in the Android WebView system component, whi...

Malicious Package in react-datepicker-plus

Versions 2.4.3 and 2.4.2 of react-datepicker-plus contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your...

GHSA-4WCX-C9C4-89P2 Malicious Package in react-datepicker-plus

Versions 2.4.3 and 2.4.2 of react-datepicker-plus contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your...

@cqingwang/react-native-update (>=14.0.5 <=15.0.3), @mervinzhu/react-native-update-pod (>=5.0.1 <=5.0.3) +23 more potentially affected by unknown CVE via entitlements (>=1.0.0 <=1.2.0)

entitlements NPM version =1.0.0, =14.0.5, =5.0.1, =0.0.1, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =1.0.2, =1.0.0, =1.0.0, =1.4.1, =1.0.2, =1.0.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G8VP-6HV4-M67C...

react-endless (>=1.0.4 <=1.0.6), react-templet (>=1.0.0 <=1.0.3) potentially affected by unknown CVE via epress (=0.0.1-security)

epress NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on epress and may be impacted: - react-endless =1.0.4, =1.0.0, =1.0.3 Source cves: unknown CVE Source advisory: OSV:GHSA-VF8Q-PW7H-R2X2...

@ieremeev/app (>=3.0.1 <=4.1.1), @meetup/swarm-docs (=0.7.10-beta.0) +7 more potentially affected by unknown CVE via serve (>=10.0.0 <=10.1.1)

serve NPM version =10.0.0, =3.0.1, =0.1.0, =0.0.12, =0.0.0, =0.0.10, =0.0.1, =0.0.10 Source cves: unknown CVE Source advisory: OSV:GHSA-48GC-5J93-5CFQ...

CVE-2020-1913

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes...

CVE-2020-1913

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes...