33426 matches found
ts-fns has prototype pollution vulnerability
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...
mpregular vulnerable to prototype pollution
mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEventHandler function of mpregular version 0.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload,...
Duplicate Advisory: rollbar vulnerable to prototype pollution
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r8c2-2qwq-94p6. This link is maintained to preserve external references. Original Description rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package include...
Llama Stack could potentially allow for remote code execution
Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolveastbytype function which could potentially allow for remote code execution...
messageformat has a prototype pollution vulnerability
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special character...
json-schema-editor-visual vulnerable to prototype pollution
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload,...
node-cube vulnerable to prototype pollution
The node-cube package prior to version 5.0.0 contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of...
sassdoc-extras vulnerable to prototype pollution
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service DoS as the minimum consequence...
csvjson vulnerable to prototype injection
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service DoS as the minimum consequence...
web3-core-subscriptions has a Prototype Pollution vulnerability
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causi...
web3-core-method is vulnerable to prototype pollution
web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing...
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
Summary The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. Details The attributes of an iframe are populated with the value of an unreserved data attribute data-iframeconfig that can be set via wikitext:...
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
The Mastra Docs MCP Server package @mastra/mcp-docs-server is a server designed to provide documentation context to AI agentic workflows, such as those used in AI-powered IDEs. Resources: Package URL: https://www.npmjs.com/package/@mastra/mcp-docs-server ----- Overview The @mastra/mcp-docs-server...
Command Injection in adb-mcp MCP Server
Command Injection in adb-mcp MCP Server The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server is also published publicly to npm at...
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and yarnPath could be executed prior to the user accepting the risks of working in an untruste...
Omni Wireguard SideroLink potential escape
Overview Omni and each Talos machine establish a peer-to-peer P2P SideroLink connection using WireGuard to mutually authenticate and authorize access. In this setup, Omni assigns a random IPv6 address to each Talos machine from a /64 network block. Omni itself uses the fixed ::1 address within th...
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
Impact v3.1.0, v2.1.3, v1.16.5 and below Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 Workarounds You can use the ignore option to ignore non files/directories. js ignore , header // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory...
counterpart vulnerable to prototype pollution
A vulnerability exists in the counterpart library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying malicious...
CSVTOJSON has a prototype pollution vulnerability
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parserjsonarr...
min-document vulnerable to prototype pollution
A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the proto property, an attacker can manipulate the prototype chain of JavaScript objects,...
messageformat prototype pollution vulnerability
The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing...
Mangati NovoSGA XSS vulnerability in /admin
A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component SVG File Handler. Performing manipulation of the argument logoNavbar/logoLogin results in cross site scripting. Remote exploitation of the attack is...
pip's fallback tar extraction doesn't check symbolic links point to extraction directory
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python versi...
Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands
Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the snapshot and restore commands. The intended requirement is authentication and authorization on the root path / with ALL permission for these operations; however, affected version...
Apache IoTDB: DoS Vulnerability
A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue...
Apache IoTDB: Deserialization of untrusted Data
Summary Apache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum ...
Liferay Portal and DXP does not properly expire sessions
Summary Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout SLO API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context. Affected Versions The following platform...
WSO2 Identity Server Apps allows content spoofing in logs
A content spoofing issue exists in WSO2 Identity Server Apps, specifically in the Authentication Portal, due to improper handling of authentication error messages. When an authentication failure occurs, the portal previously accepted an authFailureMsg value supplied via URL and rendered it in the...
GP247 and S-Cart have a stored cross-site scripting (XSS) vulnerability
A stored cross-site scripting XSS vulnerability in the Admin Log Viewer of S-Cart =10.0.3 allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header. The script is executed in an administrator's browser when they view the security log page, which...
astral-tokio-tar has a path traversal in tar extraction
Impact In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpackinraw API. Additionally, the Entry::allowexternalsymlinks control which defaults to true could be bypassed via a pair of symlinks that...
Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section
Summary http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to: - Bypass front-end servers security controls - Launch targeted attacks against active users - Poison web caches Pre-requisites for the exploitatio...
WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
An authenticated stored Cross-Site Scripting XSS vulnerability exists in WSO2 API Manager components carbon-apimgt due to insufficient validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document whose...
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service ReDoS in the AdamWeightDecay optimizer. The vulnerability arises from the douseweightdecay method, which processes user-controlled regular expressions in the includeinweightdecay...
DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile
Summary A reflected cross-site scripting XSS vulnerability exists under certain conditions, using a specially crafter url to view a user profile Description DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that are returned to th...
DNN Vulnerable to Stored XSS Using Backend Admin Credentials
Summary Users that can edit modules could set a title that includes scripts. Description Some users administrators and content editors can set html in module titles and that could include javascript which could be used for XSS based attacks. With the addition of more roles being able to set modul...
DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module
Summary The Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution XSS. Description The application sanitizes most user-submitted...
Liferay Portal and DXP audit events record password reminder answers
In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which allows remote...
Liferay Portal and DXP does not properly check permission with import and export tasks
Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows remote authenticated users to access the exported data via...
Liferay Portal and DXP allows users to add a note to a different virtual instance
Insecure Direct Object Reference IDOR vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a...
Our plan for a more secure npm supply chain
Open source software is the bedrock of the modern software industry. Its collaborative nature and vast ecosystem empower developers worldwide, driving efficiency and progress at an unprecedented scale. This scale also presents unique vulnerabilities that are continually tested and under attack by...
DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field
Summary Users can use special syntax to inject javascript code in their profile biography field. Although there was sanitization in place, it did not cover all possible scenarios Description When embedding information in the Biography field, even if that field is not rich-text, users could inject...
DNN allows loading unused themes on anonymous clients through query parameters
Summary Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. Details Many people who run DNN sites have a number of installed theme...
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
Summary The lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. Details...
Liferay has a stored cross-site scripting (XSS) vulnerability via a a publication’s “Name” text field
Stored cross-site scripting XSS vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web scripts or HTML via a crafte...
H2O affected by a deserialization vulnerability
A deserialization vulnerability exists in h2oai/h2o-3 versions = 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and...
CodeChecker has a buffer overflow in the log command
Summary CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger library, which is executed by the CodeChecker log command. Details Unsafe usage of strcpy function in the internal ldlogger library allows attackers to trigger a buffer overflow by supplying...
Mailgen: HTML injection vulnerability in plaintext e-mails
HTML Injection and XSS Filter Bypass in Plaintext Emails Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Your project is affected if you use the Mailgen.generatePlaintextemail; method and pass in user-generated content. The issue was discovere...
`git-comiters` Command Injection vulnerability
Background on the vulnerability This vulnerability manifests with the library's primary exported API: gitCommitersoptions, callback which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not saniti...
@conventional-changelog/git-client has Argument Injection vulnerability
Background on exploitation This vulnerability manifests with the library's getTags API, which allows specifying extra parameters passed to the git log command. In another API by this library - getRawCommits there are secure practices taken to ensure that the extra parameter path is unable to inje...
Ammonia incorrectly handles embedded SVG and MathML leading to mutation XSS after removal
Affected versions of this crate did not correctly strip namespace-incompatible tags in certain situations, causing it to incorrectly account for differences between HTML, SVG, and MathML. This vulnerability only has an effect when the svg or math tag is allowed, because it relies on a tag being...