Matrix SDK for React's URL preview setting for a room is controllable by the homeserver

Impact A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. Even if the CVSS score would be 4.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N the...

Stored Cross Site Scripting (XSS)

aim is vulnerable to a Stored Cross Site Scripting XSS. The vulnerability is due to improper input neutralization in the logs-tab, which uses dangerouslySetInnerHTML in React. The vulnerability allows an attacker to inject malicious scripts into the logs...

Aim Stored Cross-site Scripting Vulnerability

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

GHSA-P9F2-JG9W-CX69 Aim Stored Cross-site Scripting Vulnerability

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

CVE-2024-6578

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

CVE-2024-6578 Stored XSS in aimhubio/aim

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

CVE-2024-6578 Stored XSS in aimhubio/aim

A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...

CVE-2024-6578

Stored XSS in aimhubio/aim 3.19.3 affects the logs-tab rendering, where logs are output with React dangerouslySetInnerHTML, allowing injected scripts to execute when a user views logs. Root cause: improper neutralization of input during web page generation. Impact: potential script execution in a...

Malicious code in next-react-notify (npm)

The package executes multiple malicious commands to download and execute further payloads. The tactics used are characteristic of an ongoing North Korean campaign...

CVE-2024-40631

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-40631

The CVE-2024-40631 vulnerability affects Plate’s media embedding in editors using MediaEmbedElement with custom urlParsers in @udecode/plate-media. Affected code paths allow un-sanitised URLs (javascript:, data:, vbscript:) to reach iframe sources via the embed property from useMediaState, or the...

CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...

CVE-2024-39903

Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI...

CVE-2024-39903 Local File Inclusion in Solara

Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI...

Malicious code in react-native-latest (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 1015ecd9733ee94027b1c081070e5866c9bdeb055d78f16a4664531fadba690d The OpenSSF Package Analysis project identified 'react-native-latest' @ 200.0.1 npm as malicious. It is considered malicious because: - The...

MAL-2024-7730 Malicious code in react-native-latest (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 1015ecd9733ee94027b1c081070e5866c9bdeb055d78f16a4664531fadba690d The OpenSSF Package Analysis project identified 'react-native-latest' @ 200.0.1 npm as malicious. It is considered malicious because: - The...

Solara Security Breach

Solara is a pure Python, React style framework open sourced by widgetti. It is used to extend Jupyter and web applications. A security vulnerability exists in Solara versions prior to 1.35.1, which stems from a failure to properly validate a URI fragment for a directory traversal sequence, which...

CVE-2024-39693

CVE-2024-39693 is a DoS in Next.js (React framework) that can crash the server, affecting availability. The issue affects Next.js versions prior to 13.5 and is resolved in 13.5 and later. Connected sources consistently describe a DoS condition without detailing exploit vectors or specific vulnera...