CVE-2016-10697

react-native-baidu-voice-synthesizer is a baidu voice speech synthesizer for react native. react-native-baidu-voice-synthesizer downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources...

CVE-2017-16028

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG Math.random...

CVE-2017-16028

CVE-2017-16028 affects IBM Tivoli Netcool/OMNIbus WebGUI via the React/Node.js component (react-native-meteor-oauth) using a weak RNG (Math.random) for OAuth tokens. Remediation: upgrade WebGUI to 8.1.0 Fix Pack 28 (affecting 8.1.0 FP27 and earlier).

CVE-2016-10697

The vulnerability CVE-2016-10697 affects react-native-baidu-voice-synthesizer, which downloads resources over HTTP. The underlying issue is unencrypted network requests, enabling MITM interception and potential remote code execution by substituting resources with attacker-controlled copies. Multi...

CVE-2016-10697

react-native-baidu-voice-synthesizer is a baidu voice speech synthesizer for react native. react-native-baidu-voice-synthesizer downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources...

Cross-Site Scripting

Overview All versions of react-marked-markdown are vulnerable to cross-site scripting XSS via href attributes. This is exploitable if user is provided to react-marked-markdown Proof of concept: import React from 'react' import ReactDOM from 'react-dom' import MarkdownPreview from...

Cross-Site Scripting

Overview Versions of react-svg before 2.2.18 are vulnerable to cross-site scripting xss. This is due to the fact that scripts found in SVG files are run by default. Recommendation Update to version 2.2.18 or later. References - GitHub PR 57 - GitHub Advisory...

“I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies

Remediation TL;DR If you’re a concerned Signal user please update to the latest version of Signal Desktop fixed in version v1.11.0 which addresses all of these issues. Note that the mobile apps for Signal were not affected by this issue. Background Information If you’re an avid follower of all th...

Malicious Package

Overview Version 0.0.7 of react-server-native contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.7 of this module is found...

Malicious Package

Overview Version 0.3.0 of react-dates-sc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.3.0 of this module is found...

Cross-Site Scripting (XSS)

react-marked-markdown is vulnerable to cross-site scripting XSS. The vulnerability exists because it does not sanitize the href values to XSS-free string...

Cross-site Scripting (XSS)

react-svg is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the default configuration of allowing scripts to be evaluated, despite being documented otherwise, allowing malicious scripts to be executed when rendered...

Node.js third-party modules: The react-marked-markdown module allows XSS injection in href values.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report XSS in...

Third party CSS is not safe

A few days ago there was a lot of chatter about a 'keylogger' built in CSS. Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third part...

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0

Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at "Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome". Killing feature of Vulners web scanner v. 2.0 is...

Netflix functions without client-side React, and it's a good thing

A few days ago Netflix tweeted that they'd removed client-side React.js from their landing page and they saw a 50% performance improvement. It caused a bit of a stir. This shouldn't be a surprise The following: 1. Download HTML & CSS in parallel. 2. Wait for CSS to finish downloading & execute it...

ABB VSN300 WiFi Logger Card and VSN300 WiFi Logger Card for React Privilege Access Control Vulnerability

The ABB VSN300 WiFi Logger Card and the VSN300 WiFi Logger Card for React are both wireless data logger card products from Asea Brown Boveri ABB, Switzerland. A security vulnerability exists in the ABB VSN300 WiFi Logger Card and VSN300 WiFi Logger Card for React, which stems from the program...

Flexport year in Hackerone is report 6 an interesting vulnerability-vulnerability warning-the black bar safety net

! A year ago the Internet freight forwarders company Flexport in order to improve its customer data security, with our HackerOne platform to establish a cooperative relationship. HackerOne as a global well-known bug Bounty gold one, allowing all the security enthusiasts and professional penetrati...

Cryptographically Insecure Token Generation

react-native-meteor-oauth generates insecure tokens. These tokens are insecure because they are generated using the randomatic package which is not cryptographically secure. This makes it easier for attackers to brute force tokens...

Personalized User Focused Security: Stethoscope

Stethoscope is a web application that collects information from existing device data sources e.g., JAMF or LANDESK on a given user’s devices and gives them clear and specific recommendations for securing their systems. Stethoscope consists of two primary pieces: a Python-based back-end and a...