Malicious code in request-logger-canary (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf0d566d7abb400988aea74b00099a6db4c5ea928f32e7d44648193e21a36035 [email protected] ships a preinstall.js that, when npm install runs, opens a TCP socket to 52.74.242.200:8851 and pipes an interactive...

Linux Distros Unpatched Vulnerability : CVE-2020-7694

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP...

GHSA-33C7-2MPW-HG34 Log injection in uvicorn

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request craft...

UBUNTU-CVE-2020-7694

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request craft...

Design/Logic Flaw

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request craft...

CVE-2020-7694

This CVE affects all versions of uvicorn. The request logger is vulnerable to ASNI escape sequence injection: when handling HTTP requests, the logger logs the URL after urllib.parse.unquote processes percent-encoded characters, enabling special-meaning ANSI codes to affect terminal emulators disp...

h1-ctf: [H1-2006 2020] Writeup

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Prologue The CTF was announced in a Hacker0x01 tweet. The goal is to make payments from Marten Mickos' account on BountyPayHQ. The announcement tweet was followed shortly by a retweet of BountypayHQ, an account made for the event. BountypayHQ has one...

h1-ctf: h1-ctf writeup , finally paid the payments by chaining multiple bugs

Summary: Ultimate aim is to pay the payments of hackerone using bounty pay with no use privileges at starting. Given scope is : .bountypay.h1ctf.com Enumerated subdomains are : 1. www.bountypay.h1ctf.com 2. app.bountypay.h1ctf.com 3. staff.bountypay.h1ctf.com 4. api.bountypay.h1ctf.com 5...

undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUESTLOGGER.undertowRequestFailedt, exchange...

CVE-2019-12250

IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not...

CVE-2019-12250

CVE-2019-12250 affects IdentityServer4 up to version 2.4. The issue is a stored XSS via the httpContext in host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext, triggerable by viewing a log. Some sources (IdentityServer maintainers) dispute this as a vulnerability since the logger is not...

PT-2019-12717 · Identityserver · Identityserver

Name of the Vulnerable Software and Affected Versions: IdentityServer versions 4 through 2.4 Description: The issue is related to stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method. This can be triggered by viewing a log. It's worth noting...

Node.js third-party modules: Code Injection Vulnerability in morgan Package

I would like to report a code injection vulnerability in morgan. It allows an attacker to inject arbitrary JS commands in certain situations. Module module name: morgan version: 1.9.0 npm page: https://www.npmjs.com/package/morgan Module Description HTTP request logger middleware for node.js Name...