365 matches found
CVE-2019-16769
The CVE-2019-16769 issue affects the npm package serialize-javascript prior to version 2.1.1, which is vulnerable to Cross-site Scripting (XSS) due to unsafe characters in serialized regular expressions. Node.js environments are not affected because RegExp.prototype.toString() escapes forward sla...
1.1.0 (=1.0.0), 1c (>=6.2.0 <=8.17.2) +11732 more potentially affected by CVE-2019-16769 via serialize-javascript (>=1.0.0 <=2.1.0)
serialize-javascript NPM version =1.0.0, =6.2.0, =0.1.0, =0.0.1, =2.0.0, =0.1.0, =0.24.0, =0.1.4, =0.1.0, =1.0.0-beta.1, =1.0.4, =0.1.1, =0.1.99 and more Source cves: CVE-2019-16769 Source advisory: OSV:GHSA-H9RV-JMMF-4PGX...
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications. Recommendation Upgrade to version 2.1.1 or later...
GHSA-H9RV-JMMF-4PGX Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications. Recommendation Upgrade to version 2.1.1 or later...
UBUNTU-CVE-2016-1000006
hhvm before 3.12.11 has a use-after-free in the serializememoizeparam and ResourceBundle::construct functions...
CVE-2019-16247
Delta DCISoft 1.21 has a User Mode Write AV starting at CommLib!CCommLib::SetSerializeData+0x000000000000001b...
PYSEC-2019-166
The Serialize.deserialize method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library e.g., the standard CoAP server, CoAP client, example collect CoAP server and client when they receive crafted CoAP messages...
Denial of Service
Overview Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later. References GitHub Advisory...
harfbuzz/hb-subset-fuzzer: Heap-buffer-overflow in CFF::CFF2VariationStore::serialize
Project: https://github.com/harfbuzz/harfbuzz.git Detailed report: https://oss-fuzz.com/testcase?key=5660711141769216 Project: harfbuzz Fuzzer: libFuzzerharfbuzzhb-subset-fuzzer Fuzz target binary: hb-subset-fuzzer Job Type: libfuzzerasanharfbuzz Platform Id: linux Crash Type: Heap-buffer-overflo...
CVE-2018-19395
ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service NULL pointer dereference and application crash because com and comsafearrayproxy return NULL in compropertiesget in ext/comdotnet/comhandlers.c, as demonstrated by a serialize call on...
@contrast/loopback-test-bench (=3.15.0), @contrast/test-bench-utils (>=2.7.0 <=3.38.0) +34 more potentially affected by CVE-2017-5941 via node-serialize (>=0.0.3 <=0.0.4)
node-serialize NPM version =0.0.3, =2.7.0, =1.1.0, =1.0.1, =1.0.0, =1.1.1, =1.0.0, =1.0.4, =1.0.0, =1.0.0, =0.0.1, =1.0.4 and more Source cves: CVE-2017-5941 Source advisory: OSV:GHSA-Q4V7-4RHW-9HQM...
Code Execution through IIFE in node-serialize
Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and provided t...
GHSA-Q4V7-4RHW-9HQM Code Execution through IIFE in node-serialize
Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and provided t...
astronomia (>=1.3.1 <=1.3.2) potentially affected by CVE-2017-5954 via serialize-to-js (=0.5.0)
serialize-to-js NPM version =0.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on serialize-to-js and may be impacted: - astronomia =1.3.1, =1.3.2 Source cves: CVE-2017-5954 Source advisory: OSV:GHSA-MM62-WXC8-CF7M...
Code Execution Through IIFE in serialize-to-js
Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression IIFE. Proof of Concept js var payload = "e: function eval'console.logexploited' " var serialize = require'serialize-to-js'; serialize.deserializepayload;...
GHSA-MM62-WXC8-CF7M Code Execution Through IIFE in serialize-to-js
Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression IIFE. Proof of Concept js var payload = "e: function eval'console.logexploited' " var serialize = require'serialize-to-js'; serialize.deserializepayload;...
PJSIP PJSUA2 SDK for Android Arbitrary Code Execution Vulnerability
PJSIP PJSUA2 SDK for Android is an Android-based software development kit that provides APIs for building Session Initiation Protocol SIP multimedia user agent applications. A security vulnerability exists in versions of the PJSIP PJSUA2 SDK for Android prior to SVN Changeset 51322. The...
CVE-2017-15871
The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function" substring, as demonstrated by a "functionconsole.log" call or a simple infinite loop. NOTE: the vendor agrees that...
Design/Logic Flaw
DISPUTED The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function" substring, as demonstrated by a "functionconsole.log" call or a simple infinite loop. NOTE: the vendor agree...
CVE-2017-15871
The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function" substring, as demonstrated by a "functionconsole.log" call or a simple infinite loop. NOTE: the vendor agrees that...