Lucene search
K

4072 matches found

Huntr
Huntr
added 2021/01/10 12:0 a.m.63 views

Prototype Pollution in react-atomic/react-atomic-organism

Description set-object-value is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var setObjectValue = require"set-object-value" var obj = console.log"Before : " + .polluted; setObjectValueobj, 'proto','polluted', 'Yes! Its Polluted'; console.log"Afte...

7.5CVSS2.2AI score0.03591EPSS
Exploits1
Huntr
Huntr
added 2021/01/07 12:0 a.m.13 views

Prototype Pollution in x-extends/xe-utils

Description xe-utils is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'xe-utils' console.log'Before: ', .polluted set, 'proto.polluted', true console.log'After: ', .polluted 2. Execute the following commands in the...

1.6AI score
Exploits0
Huntr
Huntr
added 2021/01/07 12:0 a.m.6 views

Code Injection in facebookresearch/parlai

Description ParlAI pronounced “par-lay” is a python framework for sharing, training and testing dialogue models, from open-domain chitchat to VQA Visual Question Answering. Vulnerability description Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Run exploit.p...

2.1AI score
Exploits0References1
Huntr
Huntr
added 2021/01/07 12:0 a.m.14 views

Code Injection in archivy/archivy

Description Archivy is a self-hosted knowledge repository that allows you to safely preserve useful content that contributes to your knowledge bank. Vulnerability description Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Run exploit.py python import os...

1.7AI score
Exploits0References1
Huntr
Huntr
added 2021/01/07 12:0 a.m.16 views

Code Injection in baidu/cup

Description CUP, common useful python-lib. Currently, Most popular python lib in baidu Vulnerability description untrusted loading of data by the pickle.load function leading to Arbitrary code execution. Proof of Concept Run exploit.py import os import pickle os.system'pip3 install cup' from...

1.2AI score
Exploits0References1
Huntr
Huntr
added 2021/01/07 12:0 a.m.12 views

Code Injection in spotify/postgresql-metrics

Description Tool that extracts and provides metrics on your PostgreSQL database Vulnerability discription unsafe loading of data by the yaml.load function leading to Arbitrary code execution. Proof of Concept Vulnerable code part python readconfigdict = yaml.loadf...

1.4AI score
Exploits0
Huntr
Huntr
added 2021/01/06 12:0 a.m.23 views

Cross-site Scripting (XSS) - Generic in kekingcn/kkfileview

Description kkFileView this package is vulnerable to Stored Cross-Site Scripting XSS. https://github.com/kekingcn/kkFileView Steps To Reproduce-: stored XSS 1 install https://github.com/kekingcn/kkFileView locally or https://file.keking.cn/index use demo 2 while uploading files for preview use js...

6.6AI score
Exploits0References2
Huntr
Huntr
added 2021/01/06 12:0 a.m.15 views

in catalyst-team/catalyst

Description Catalyst is a PyTorch framework for Deep Learning research and development. It focuses on reproducibility, rapid experimentation, and codebase reuse so you can create something new rather than write another regular train loop. This package was vulnerable to Arbitrary code execution vi...

0.6AI score
Exploits0References1
Huntr
Huntr
added 2021/01/06 12:0 a.m.39 views

Prototype Pollution in robinvdvleuten/shvl

Description shvl is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of ServiceDoS/Remote Code Execution. Proof of...

7.5CVSS1.6AI score0.02944EPSS
Exploits1
Huntr
Huntr
added 2021/01/04 12:0 a.m.10 views

Prototype Pollution in ionicabizau/obj-def

Description obj-def is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var objDef = require"obj-def" var obj = console.log"Before : " + .polluted; objDefobj, "proto", .polluted ='Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the...

2.3AI score
Exploits0
Huntr
Huntr
added 2021/01/04 12:0 a.m.10 views

Code Injection in uber/petastorm

Description Petastorm is an open source data access library developed at Uber ATG. This library enables single machine or distributed training and evaluation of deep learning models directly from datasets in Apache Parquet format. Petastorm supports popular Python-based machine learning ML...

1.6AI score
Exploits0References1
Huntr
Huntr
added 2021/01/04 12:0 a.m.10 views

Prototype Pollution in darrenpaulwright/object-agent

Description object-agent is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js import set from 'object-agent'; var obj = console.log"Before : " + .polluted; setobj, 'proto.polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute th...

1.6AI score
Exploits0
Huntr
Huntr
added 2020/12/21 12:0 a.m.10 views

Prototype Pollution in rodrigocmoreira/sgt-fields

Description sgt-fields is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var sgtFields = require"sgt-fields" var obj = console.log"Before : " + .polluted; sgtFields.setobj,"proto.polluted","Yes! Its Polluted"; console.log"After : " + .polluted; 2...

1.9AI score
Exploits0
Huntr
Huntr
added 2020/12/21 12:0 a.m.13 views

Prototype Pollution in yowainwright/common-utilities

Description @common-utilities/merge-objects is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var a = require"@common-utilities/merge-objects" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " +...

2AI score
Exploits0
Huntr
Huntr
added 2020/12/21 12:0 a.m.13 views

Code Injection in tensorflow/models

Description Arbitrary Code Excecution in Tensorflow/Models.The TensorFlow Model Garden is a repository with a number of different implementations of state-of-the-art SOTA models and modeling solutions for TensorFlow users. We aim to demonstrate the best practices for modeling so that TensorFlow...

3.9AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.7 views

Prototype Pollution in bonnevoyager/nested-objects-util

Description nested-objects-util is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var unflatten = require"nested-objects-util" console.log"Before : " + .polluted; unflatten"proto.polluted": "Yes! Its Polluted" console.log"After : " + .polluted; 2...

2.1AI score
Exploits0
Huntr
Huntr
added 2020/12/21 12:0 a.m.9 views

Code Injection in svaarala/duktape

Description Arbitrary Code Excecution in svaarala/duktape/tools/genconfig.py. Duktape - embeddable Javascript engine with a focus on portability and compact footprint. Genconfig is a Process Duktape option metadata and produce various useful outputs. Technical Description This package was...

1AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.5 views

Code Injection in mozilla/deepspeech

Description Arbitrary Code Excecution in mozilla/DeepSpeech.DeepSpeech is an open source embedded offline, on-device speech-to-text engine which can run in real time on devices ranging from a Raspberry Pi 4 to high power GPU servers. Technical Description This package was vulnerable to Arbitrary...

0.8AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.21 views

Cross-site Scripting (XSS) - Generic in netlify/netlify-cms

Description netlify-cms-widget-markdown is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Use the application or use the demo https://cms-demo.netlify.com//collections/posts/new 2. Switch to markdown mode in edtior. 3. Insert the xss payload in to the editorbody 4. XSS payload will...

0.1AI score
Exploits0
Huntr
Huntr
added 2020/12/21 12:0 a.m.14 views

Prototype Pollution in patrickleet/expand-keys

Description expand-keys is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var expandKeys = require"expand-keys" console.log"Before : " + .polluted; expandKeys"proto.polluted": "Yes! Its Polluted" console.log"After : " + .polluted; 2. Execute the...

2.5AI score
Exploits0
Huntr
Huntr
added 2020/12/21 12:0 a.m.24 views

Code Injection in apolloauto/apollo

Description Arbitrary Code Excecution in genprotofile.py in ApolloAuto/Apollo. An open autonomous driving platform. Technical Description This package was vulnerable to Arbitrary code execution due to a use of a known vulnerable function load in yaml. fix is to be done genprotofile.py Exploit cod...

0.6AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.13 views

Code Injection in zqpei/deep_sort_pytorch

Description Arbitrary Code Excecution in deepsort built on pytorch. MOT tracking using deepsort and yolov3 with pytorch. Technical Description This package was vulnerable to Arbitrary code execution due to a use of a known vulnerable function load in yaml. All the scripts importing utils/parser.p...

1.8AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.26 views

Code Injection in microsoft/qlib

Description Arbitrary Code Excecution in microsoft/qlib. Qlib is an AI-oriented quantitative investment platform, which aims to realize the potential, empower the research, and create the value of AI technologies in quantitative investment. Technical Description This package was vulnerable to...

6.5CVSS3AI score0.03555EPSS
Exploits1References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.16 views

Code Injection in ultralytics/yolov3

Description Arbitrary Code Excecution in ultralytics/yolov3. Yolov3 is a model from Ultralytics. Ultralytics is a U.S.-based particle physics and AI startup with over 6 years of expertise supporting government, academic and business clients. Ultralytics offer a wide range of vision AI services,...

0.3AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.15 views

Code Injection in ultralytics/yolov5

Description Arbitrary Code Excecution in ultralytics/yolov5. Yolov5 is a Object Detection model from Ultralytics. Ultralytics is a U.S.-based particle physics and AI startup with over 6 years of expertise supporting government, academic and business clients. Ultralytics offer a wide range of visi...

0.4AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.54 views

Code Injection in microsoft/nni

Description Arbitrary Code Excecution in microsoft/nni. An open source AutoML toolkit for automate machine learning lifecycle, including feature engineering, neural architecture search, model compression and hyper-parameter tuning. Technical Description This package was vulnerable to Arbitrary co...

6.5CVSS1.6AI score0.02482EPSS
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.17 views

in nvidia/runx

Description runx is a Deep Learning Experiment Management library by NVIDIA. This package was vulnerable to Arbitrary code execution via Insecure YAML deserialization due to the use of a known vulnerable function load in yaml. repo: https://github.com/NVIDIA/runx Proof of Concept python...

1.4AI score
Exploits0References1
Huntr
Huntr
added 2020/12/21 12:0 a.m.13 views

Prototype Pollution in badopcode/nodash

Description ts-nodash is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var merge = require"ts-nodash".Merge const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; mergeobj, payload;...

2AI score
Exploits0
Huntr
Huntr
added 2020/12/18 12:0 a.m.81 views

Cross-site Scripting (XSS) - Generic in apexcharts/apexcharts.js

Description apexcharts is vulnerable to Cross-Site Scripting XSS. Proof of Concept 1. Install the package by following this instruction https://apexcharts.com/docs/installation/ or try the live sandbox here https://codepen.io/apexcharts/pen/xYqyYm 2. Edit JS and insert the XSS payload below in th...

4.3CVSS0.3AI score0.0137EPSS
Exploits1
Huntr
Huntr
added 2020/12/17 12:0 a.m.11 views

Cross-site Scripting (XSS) - Generic in igniterealtime/openfire-bookmarks-plugin

Description openfire-bookmarks-plugin is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Download openfire and install https://www.igniterealtime.org/downloads/ 2. Run the server http://localhost:9090/index.jsp 3. Click on "Plugins" http://localhost:9090/plugin-admin.jsp and install...

5.8AI score
Exploits0
Huntr
Huntr
added 2020/12/17 12:0 a.m.25 views

Prototype Pollution in ionicabizau/obj-unflatten

Description obj-unflatten convert flatten objects in nested ones. This package is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const unflatten = require'obj-unflatten' console.log'Before: ' + .polluted unflatten'proto.polluted':...

2.1AI score
Exploits0
Huntr
Huntr
added 2020/12/17 12:0 a.m.10 views

Prototype Pollution in ionicabizau/set-or-get.js

Description set-or-get is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var SetOrGet = require"set-or-get"; var obj = console.log"Before : " + .polluted; SetOrGetobj, "proto", .polluted ='Yes! Its Polluted'; console.log"After : " + .polluted; 2...

2AI score
Exploits0
Huntr
Huntr
added 2020/12/17 12:0 a.m.14 views

Cross-Site Request Forgery (CSRF) in strider-cd/strider

Description Strider is an Open Source Continuous Deployment / Continuous Integration platform. It is written in Node.js and Ember.js and uses MongoDB as a backing store. This platform is vulnerable to Cross-Site Request Forgery CSRF. It allowes an attacker to takeover accounts, privillege...

0.7AI score
Exploits0
Huntr
Huntr
added 2020/12/17 12:0 a.m.13 views

Prototype Pollution in asaianudeep/deep-override

Description deep-override is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var deepOverride = require"deep-override" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; deepOverrideobj,...

2.1AI score
Exploits0
Huntr
Huntr
added 2020/12/14 12:0 a.m.19 views

Prototype Pollution in steveukx/properties

Description properties-reader is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC and INI files: // poc.js var propertiesReader = require'properties-reader'; console.log"Before : " + .polluted console.log"Before : " + .polluted1 var properties =...

2.1AI score
Exploits0
Huntr
Huntr
added 2020/12/14 12:0 a.m.20 views

Prototype Pollution in evangelion1204/multi-ini

Description multi-ini is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC and INI files: // poc.js const ini = require'multi-ini'; console.log"Before : " + .polluted; var content = ini.read'./payload.ini'; console.log"After : " + .polluted; //payload.ini constructor...

7.5CVSS2.3AI score0.01425EPSS
Exploits1
Huntr
Huntr
added 2020/12/14 12:0 a.m.30 views

Prototype Pollution in mout/mout

Description mout is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var mout = require"mout" var obj = console.log"Before : " + .polluted; mout.object.setobj,'proto.polluted','Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the...

7.5CVSS2.1AI score0.02119EPSS
Exploits1
Huntr
Huntr
added 2020/11/24 12:0 a.m.23 views

Cross-site Scripting (XSS) - Generic in thirtybees/thirtybees

Description Thirty bees is matured e-commerce solution which once started as a fork of PrestaShop 1.6.1.11 and is still compatible with almost all PS 1.6 modules. Its focus is on stability, correctness and reliability of the rich feature set, to allow merchants to focus on growing their business...

6.4AI score
Exploits0References1
Huntr
Huntr
added 2020/11/24 12:0 a.m.19 views

Business Logic Errors in braitsch/node-login

Description node-login is a template for quickly building login systems on top of Node.js & MongoDB. The business logic which updates account details fails to verify if the provied email is associated with another account. Proof of Concept 1. Navigate to /signup and Create two accounts with data...

1.5AI score
Exploits0
Huntr
Huntr
added 2020/11/24 12:0 a.m.6 views

Prototype Pollution in nodef/extra-object

Description extra-object is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var extraObject = require"extra-object" var obj =...

1.9AI score
Exploits0
Huntr
Huntr
added 2020/11/23 12:0 a.m.24 views

Cross-site Scripting (XSS) - Generic in s-cart/core

Description s-cart is a free e-commerce website project for businesses, built on the Laravel framework. this package is vulnerable to Stored Cross-Site Scripting XSS. https://github.com/s-cart/s-cart https://s-cart.org/about.html Steps To Reproduce-: 1 install https://github.com/s-cart/s-cart...

4.3CVSS6.2AI score0.01071EPSS
Exploits1References1
Huntr
Huntr
added 2020/11/19 12:0 a.m.20 views

Code Injection in jadonk/bonescript

Overview BoneScript is a node.js library for physical computing on embedded Linux, starting with support for BeagleBone. Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in the setDate function. Proof of...

1.9AI score
Exploits0
Huntr
Huntr
added 2020/11/19 12:0 a.m.31 views

Prototype Pollution in mozilla/node-convict

Description convict is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var convict = require"convict"; var obj = ; var config =...

7.5CVSS2.3AI score0.02027EPSS
Exploits1
Huntr
Huntr
added 2020/11/18 12:0 a.m.45 views

Prototype Pollution in b-heilman/bmoor

Description bmoor is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js const bmoor = require'bmoor'; var obj = console.log"Before : " ...

7.5CVSS1.7AI score0.01469EPSS
Exploits1
Huntr
Huntr
added 2020/11/18 12:0 a.m.16 views

Prototype Pollution in maikelvl/dot-json

Description dot-json is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var dotJson = require"dot-json" var myfile = new...

1.8AI score
Exploits0
Huntr
Huntr
added 2020/11/03 12:0 a.m.17 views

Cross-site Scripting (XSS) - Generic in frappe/charts

Description frappe-charts is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Open NPM repo https://www.npmjs.com/package/frappe-charts 2. Open the Explore demos https://frappe.io/charts 3. At the bottom find the sandbox Ref:...

0.5AI score
Exploits0References2
Huntr
Huntr
added 2020/11/01 12:0 a.m.5 views

Prototype Pollution in imrefazekas/assign.js

Description assign.js is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var Assigner = require"assign.js" var assigner = new Assign...

1.9AI score
Exploits0
Huntr
Huntr
added 2020/10/30 12:0 a.m.14 views

Prototype Pollution in okunishinishi/node-objnest

Description objnest is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var objnest = require"objnest" console.log"Before : " +...

1.8AI score
Exploits0
Huntr
Huntr
added 2020/10/28 12:0 a.m.11 views

Prototype Pollution in generates/generates

Description @generates/merger is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var merger = require"@generates/merger" const paylo...

1.7AI score
Exploits0
Huntr
Huntr
added 2020/10/25 12:0 a.m.42 views

Prototype Pollution in jquense/yup

Description yup is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js let yup = require'yup'; const payload =...

1.5AI score
Exploits0
Total number of security vulnerabilities4072