CVE-2023-34245 Cross site scripting (XSS) in @udecode/plate-link

@udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the javascript: scheme. As a result, links with JavaScript URLs can be inserted into th...

CVE-2023-34238

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the file-code-frame and original-stack-frame paths, exposed when running the Gatsby develop server gatsby develop. Any file in scope o...

Design/Logic Flaw

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the file-code-frame and original-stack-frame paths, exposed when running the Gatsby develop server gatsby develop. Any file in scope o...

CVE-2023-34238 Local File Inclusion vulnerability in Gatsby

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the file-code-frame and original-stack-frame paths, exposed when running the Gatsby develop server gatsby develop. Any file in scope o...

CVE-2023-34238

Gatsby (React-based framework) prior to versions 4.25.7 and 5.9.1 contains a Local File Inclusion (LFI) vulnerability in the __file-code-frame and __original-stack-frame paths when the Gatsby develop server is run. The issue could expose any file on the development server’s scope, with exploitati...

CVE-2023-34238 Local File Inclusion vulnerability in Gatsby

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the file-code-frame and original-stack-frame paths, exposed when running the Gatsby develop server gatsby develop. Any file in scope o...

Malicious Package

Overview react-influxdb is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package wa...

Malicious Package

Overview plugin-react-hooks is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packag...

Malicious Package

Overview react-hook-form-deprecated is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if thi...

DOM Cross Site Scripting and openredirect

Vulnerable Endpoint: https://demo.saleor.io/default-channel/en-US/account/login/?next=javascript:alert1 Description: 1. Hello team, Recently i found that, on saleor React storefront dashboard there is a DOM XSS and open-redirect vulnerability Steps to reproduce XSS: 1. Go to the above mentioned...

MAL-2023-1108 Malicious code in @yuga-labs/web3-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis b425c34ae84cc0a28d515b6e2a691b26410edb680096a6ee0c8ab7b8698fee20 The OpenSSF Package Analysis project identified '@yuga-labs/web3-react' @ 100.0.0 npm as malicious. It is considered malicious because: - The...

Malicious code in mintel-react-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 0a1835239b54b7888436777e7e123e588fdbf2fe1ca95d9162e6803d5027515e Malicious packages campaign since 2021 targeting developers, steals source code and secrets Source: ghsa-malware...

MAL-2023-602 Malicious code in mintel-react-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 0a1835239b54b7888436777e7e123e588fdbf2fe1ca95d9162e6803d5027515e Malicious packages campaign since 2021 targeting developers, steals source code and secrets Source: ghsa-malware...

Malicious code in react-vuejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a46729b2313e52604631a44fbc0c9a6e4dea2ce5ceb901b05e055a389bfcdf8e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-737 Malicious code in react-vuejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a46729b2313e52604631a44fbc0c9a6e4dea2ce5ceb901b05e055a389bfcdf8e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in stripe-terminal-react-native (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3e6a4f5507735b6704fa9b04425050a6609564e66e4ad031bbc07e7900ce5610 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-1310 Malicious code in stripe-terminal-react-native (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3e6a4f5507735b6704fa9b04425050a6609564e66e4ad031bbc07e7900ce5610 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2023-25933

A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious attacker to execute arbitrary code via untrusted JavaScript. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, mos...

CVE-2023-23557

An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScrip...

CVE-2023-30470

A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled for Hermes prior to commit da8990f737ebb9d9810633502f65ed462b819c09 could have been used by an attacker to achieve remote code execution. Note that this is only exploitable in cases where Herme...