huskyCI - Performing Security Tests Inside Your CI

huskyCI is an open-source tool that performs security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. How does it work? The main goal of this project is to help development teams improve the quality of their code by...

@jamesbliss/react-flickity (>=1.0.0 <=1.4.0), @jamesbliss/react-spy (=0.0.1) +21 more potentially affected by CVE-2019-10773 via yarn (>=1.0.2 <=1.21.0)

yarn NPM version =1.0.2, =1.0.0, =1.9.9, =1.0.0, =1.0.21, =8.3.8, =0.1.0, =3.0.0, =0.0.1, =0.0.0-semantic-release, =1.5.9, =1.1.2, =1.13.1 and more Source cves: CVE-2019-10773 Source advisory: SNYK:JS-YARN-537806...

Node.js third-party modules: [htmr] DOM-based XSS

Hi, I would like to report DOM-based XSS in htmr. It allows attackers to insert malicious JavaScript payload into the page. Module module name: htmr version: 0.8.6 npm page: https://www.npmjs.com/package/htmr Module Description Simple and lightweight Hash: $window.location.hash; 4. Run the server...

Cross-Site Scripting

Overview Affected versions of react-dom are vulnerable to Cross-Site Scripting XSS. The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be...

Cross-Site Scripting

Overview Affected versions of react are vulnerable to Cross-Site Scripting XSS. The package fails to properly sanitize input used to create keys. This may allow attackers to execute arbitrary JavaScript if a key is generated from user input. Recommendation If you are using react 0.5.x, upgrade to...

React Prereleases-Preparing for the Future

By Owais Sultan Recently, React has come up with prerelease channels to update users with the latest changes taking place in the React ecosystem. They spoke about this through a blog published on their React website. React relies on an open-source community to report bugs, open pull requests and...

Denial Of Service (DoS) Through Infinite Loop

react-native-root-siblings is vulnerable to denial of service DoS attack. The vulnerability is due to a faulty iteration logic in the function getActiveManager in RootSiblingsManager, triggering an infinite loop and consuming CPU memory...

Cross-Site Scripting

Overview Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting XSS. The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 0.14.0 or later...

Memory Leak

react-popper is vulnerable to memory leak attacks. The ref value passed to the Manager context is retained when the reference child element is removed from the page, resulting in an application crash...

Osmedeus v2.1 - Fully Automated Offensive Security Framework For Reconnaissance And Vulnerability Scanning

Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target. Installation git clone https://github.com/j3ssie/Osmedeus cd Osmedeus ./install.sh This install only focus on Kali linux, check more install on Usage page How to use ...

Prototype Pollution

react-particles-js is vulnerable to prototype pollution attacks. Attackers can manipulates attributes to overwrite, or pollute existing properties relating to an Object by injecting malicious values through proto attribute . Using this flaw the attackers can trigger denial of service DoS attacks...

Osmedeus v1.5 - Fully Automated Offensive Security Framework For Reconnaissance And Vulnerability Scanning

Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target. Installation git clone https://github.com/j3ssie/Osmedeus cd Osmedeus ./install.sh This install only focus on Kali linux, check more install on Wiki page How to use I...

CVE-2019-12164

ubuntu-server.js in Status React Native Desktop before v0.57.8mobileui allows Remote Code Execution...

CVE-2019-12164

ubuntu-server.js in Status React Native Desktop before v0.57.8mobileui allows Remote Code Execution...

Remote code execution

ubuntu-server.js in Status React Native Desktop before v0.57.8mobileui allows Remote Code Execution...

CVE-2019-12164

Affected software: Status React Native Desktop prior to v0.57.8_mobile_ui (ubuntu-server.js). Vulnerability: remote code execution via ubuntu-server.js. Impact & scope: reported RCE in the desktop component; CVE-2019-12164. Mitigation status: no remediation details provided in the connected docum...

CVE-2019-12164

ubuntu-server.js in Status React Native Desktop before v0.57.8mobileui allows Remote Code Execution...

@jamesbliss/react-flickity (>=1.0.0 <=1.4.0), @jamesbliss/react-spy (=0.0.1) +17 more potentially affected by CVE-2019-5448 via yarn (>=1.0.2 <=1.16.0)

yarn NPM version =1.0.2, =1.0.0, =1.9.9, =1.0.0, =1.0.21, =8.3.8, =0.1.0, =3.0.0, =0.0.0-semantic-release, =1.1.2, =0.1.9, =1.0.0, =1.11.13 and more Source cves: CVE-2019-5448 Source advisory: SNYK:JS-YARN-451571...

Malicious Package

Overview Versions 2.4.3 and 2.4.2 of react-datepicker-plus contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from yo...

Cross-Site Scripting in react-svg

Versions of react-svg before 2.2.18 are vulnerable to cross-site scripting xss. This is due to the fact that scripts found in SVG files are run by default. Recommendation Update to version 2.2.18 or later...