CVE-2020-12270

React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it...

Design/Logic Flaw

React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it...

CVE-2020-12270

React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it...

CVE-2020-12270

CVE-2020-12270 : Affects Bluezone 1.0.0 through the React Native Bluetooth Scan component. The root cause is use of insufficiently random values to generate six-character alphanumeric IDs, which could let a remote attacker interfere with COVID-19 contact tracing by issuing many IDs. Exploitation ...

CVE-2020-12113

BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used...

CVE-2020-12113

BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used...

Cross site scripting

BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used...

CVE-2020-12113

BigBlueButton is affected by CVE-2020-12113: prior to version 2.2.4, the Web UI is vulnerable to cross-site scripting via closed captions because dangerouslySetInnerHTML is used in React. This vulnerability allows XSS as described in multiple sources (e.g., BigBlueButton’s 2.2.4 release notes and...

CVE-2020-12113

BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used...

BigBlueButton < 2.2.4 - Reflected Cross-Site Scripting (XSS)

XSS via closed captions because dangerouslySetInnerHTML in React is used...

Information Disclosure

react-oauth-flow is vulnerable to information disclosure. The vulnerability exists as it stores secrets in the front-end instead of using a properly implemented OAuth client...

@gsandf/react-native-oauth (>=2.1.16 <=2.2.2), react-native-oauth (>=1.1.0 <=2.2.0) +5 more potentially affected by CVE-2019-10805 via valib (=2.0.0)

valib NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on valib and may be impacted: - @gsandf/react-native-oauth =2.1.16, =1.1.0, =2.1.16, =2.1.15, =0.1.0, =0.4.6 Source cves: CVE-2019-10805 Source advisory: SNYK:JS-VALIB-559015...

Improper Authorization

Overview All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. Recommendatio...

@concepto/eb (>=1.1.7 <=1.1.95), @concepto/nuxt (=1.9.427) +11 more potentially affected by CVE-2019-10804 via serial-number (>=0.3.0 <=1.3.0)

serial-number NPM version =0.3.0, =1.1.7, =0.0.1, =1.9.35, =1.1.0, =1.1.1, =0.2.1, =0.1.4, =0.1.1, =0.1.24, =2.5.0, =3.1.1 Source cves: CVE-2019-10804 Source advisory: SNYK:JS-SERIALNUMBER-559010...

Denial Of Service (DoS) Through Memory Leak

react-native-camera-kit is vulnerable to denial of service DoS attacks. The vulnerability exists due to the unreleased imageRef in the function snapStillImage in file CKCamera.m, allowing an attacker to trigger a memory exhaustion attack resulting in a system hang...

Acunetix v13 - Web Application Security Scanner

Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix Version 13. The new release comes with an improved user interface and introduces innovations such as the SmartScan engine, malware detection functionality, comprehensive network scanning,...

huskyCI - Performing Security Tests Inside Your CI

huskyCI is an open-source tool that performs security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics. How does it work? The main goal of this project is to help development teams improve the quality of their code by...

@jamesbliss/react-flickity (>=1.0.0 <=1.4.0), @jamesbliss/react-spy (=0.0.1) +21 more potentially affected by CVE-2019-10773 via yarn (>=1.0.2 <=1.21.0)

yarn NPM version =1.0.2, =1.0.0, =1.9.9, =1.0.0, =1.0.21, =8.3.8, =0.1.0, =3.0.0, =0.0.1, =0.0.0-semantic-release, =1.5.9, =1.1.2, =1.13.1 and more Source cves: CVE-2019-10773 Source advisory: SNYK:JS-YARN-537806...

Node.js third-party modules: [htmr] DOM-based XSS

Hi, I would like to report DOM-based XSS in htmr. It allows attackers to insert malicious JavaScript payload into the page. Module module name: htmr version: 0.8.6 npm page: https://www.npmjs.com/package/htmr Module Description Simple and lightweight Hash: $window.location.hash; 4. Run the server...

Cross-Site Scripting

Overview Affected versions of react-dom are vulnerable to Cross-Site Scripting XSS. The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be...