Sandbox Breakout / Arbitrary Code Execution

Overview All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload chaining a function's callee and caller constructors can escape the sandbox and execute arbitrary code. For example, the payload = const targetKey = Object.keysthis0;...

Cross-Site Scripting

Overview All versions of html-pages are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize folder names, allowing attackers to execute arbitrary JavaScript in the victim's browser through folders with names containing malicious code. Recommendation No fix is currently available...

Cross-Site Scripting

Overview Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package allows HTML code in the swagger.apiInfo.description value without proper sanitization, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 2.2.1 or later...

Denial of Service

Overview Versions of axios prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the maxContentLength property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service. Recommendation Upgrade to 0.18.1 or later...

Cross-Site Scripting

Overview Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Contents of READMEs are not properly sanitized before rendering, which may allow attackers to execute arbitrary JavaScript code. Recommendation Upgrade to version 3.12.0 or later...

Open Redirect

Overview Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains. Recommendation If using ecstatic 4.x, upgrade to 4.1.2 or later. If...

Cross-Site Scripting

Overview All versions of materialize-css are vulnerable to Cross-Site Scripting. The tooltip component does not sufficiently sanitize user input, allowing an attacker to execute arbitrary JavaScript code if the malicious input is rendered by a user. Recommendation No fix is currently available...

Cross-Site Scripting

Overview All versions of materialize-css are vulnerable to Cross-Site Scripting. The autocomplete component does not sufficiently sanitize user input, allowing an attacker to execute arbitrary JavaScript code if the malicious input is rendered by a user. Recommendation No fix is currently...

Denial of Service

Overview Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options proxy.auth being passed to Buffer. Recommendation Update to version 2.2.0 or later. References - index.js Line 207 - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of default-deep before 0.2.4 are vulnerable to prototype pollution Recommendation Update to version 0.2.4 or later. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview Versions of html-janitor prior to 2.0.2 all current versions are vulnerable to cross-site scripting XSS. This is exploitable if user-controlled data is passed into the modules clean function. Recommendation No fix is currently available for this vulnerability. It is recommended to use an...

Malicious Package

Overview The npm-script-demo package is a piece of malware that opens a connection to a command and control server and executed the instructions it is given. It has been removed from the npm registry. Recommendation Any computer that has this package installed or running should be considered full...

Directory Traversal

Overview Affected versions of exxxxxxxxxxx resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Directory Traversal

Overview Affected versions of cuciuci resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Spoofing attack due to unvalidated KDC

Overview Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. Recommendation It appears that this will remain unfixed...

SQL Injection

Overview Versions 2.0.0-rc-7 and earlier of sequelize are affected by a SQL injection vulnerability when user input is passed into the order parameter. Proof of Concept javascript Test.findAndCountAll where: id :1 , order : 'id', 'UNTRUSTED USER INPUT' Recommendation Update to version 2.0.0-rc8 o...

Command Injection

Overview The dns-sync library for node.js allows resolving hostnames in a synchronous fashion All versions of dns-sync prior to the release 0.1.1 were vulnerable to arbitrary command execution via maliciously formed hostnames. For example: var dnsSync = require'dns-sync';...

Cross-Site Scripting

Overview There is an XSS vulnerability in tinymce before version 5.7.1. Impact A cross-site scripting XSS vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted...

Information Exposure

Overview Versions of apollo-server-micro prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relation...

Timing Attack

Overview Versions of jsrsasign are vulnerable to Timing Attacks. The signHex function uses a timing-unsafe method for ECDSA key generation and signing. This leaks the length of the scalar, which attackers may use to brute-force the private key. Timing attacks can be used to increase the efficienc...

Validation Bypass

Overview Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation. Recommendation Upgrade to versions 6.0.3 or later. References - GitHub issue -...

Server-Side Request Forgery

Overview Versions of ftp-srv prior to versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery SSRF. The package fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to acce...

Command Injection

Overview All versions of plotter are vulnerable to Command Injection. The package fails to sanitize plot titles, which may allow attackers to execute arbitrary code in the system if the title value is supplied by a user. The following proof-of-concept creates a testing file in the current...

Arbitrary File Write

Overview Versions of bin-links prior to 1.1.5 are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended nodemodules folder through the bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to...

Cross-Site Scripting

Overview Versions of pannellum prior to 2.5.6 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize URLs for data URIs, which may allow attackers to execute arbitrary code in a victim's browser. Recommendation Upgrade to version 2.5.6 or later. References - GitHub Security...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Sandbox Breakout

Overview Versions of realms-shim prior to 1.2.1 are vulnerable to a Sandbox Breakout. The Realms evaluation function has an option to apply Babel-like transformations to the source code before it reaches the evaluator. One portion of this transform pipeline exposed a primal-Realm object to the...

Cross-Site Scripting

Overview All versions of status-board are vulnerable to Cross-Site Scripting. The renderDashboard function concatenates the safeDashboard variable to the printed error message with insufficient sanitization. If this variable is controlled by user input it allows attackers to execute arbitrary...

Cross-Site Scripting

Overview Versions of public prior to 0.1.4 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation Upgrade to version 0.1.4 or...

Command Injection

Overview Versions of entitlements prior to 1.3.0 are vulnerable to Command Injection. The package does not validate input on the entitlements function and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. Recommendation Upgrade to version 1.3.0 or later...

Malicious Package

Overview Version 1.0.3 of libubx contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and evaluat...

Arbitrary File Overwrite

Overview Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The...

Cross-Site Scripting

Overview Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Links for the packages homepage are not properly restricted to http/https and can contain JavaScript which may lead to arbitrary code execution. Recommendation Upgrade to version 3.12.0 or later. References...

Arbitrary JavaScript Execution

Overview Versions of typed-function prior to 0.10.6 are vulnerable to Arbitrary JavaScript Execution. Function names are not properly sanitized and may allow an attacker to execute arbitrary code. Recommendation Upgrade to version 0.10.6 or later. References - GitHub Commit - Snyk Report - GitHub...

Symlink Arbitrary File Overwrite

Overview Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory. Recommendation Update to version 1.8.8 or later...

Reflected Cross-Site Scripting

Overview Versions of jquery.terminal prior to 1.21.0 are vulnerable to Reflected Cross-Site Scripting. If the application has either of the options anyLinks or invokeMethods set to true, the application may execute arbitrary JavaScript through crafted malicious payloads due to insufficient...

Stored Cross-Site Scripting

Overview All versions of tianma-static are vulnerable to stored cross-site scripting XSS. The vulnerability is exploitable if a user can control the name of a file that is served by tianma-static Recommendation As no fix is available for this vulnerability at this time it is our recommendation to...

Cross-Site Scripting

Overview Versions of exceljs before 1.6.0 are vulnerable to cross-site scripting. This vulnerability is due to exceljs does not validate data from parsed XLSX file and allows to embed HTML tags, like , directly in the sheet cells. Because of this it's possible to inject malicious JavaScript code...

Remote Code Execution

Overview react-dev-utils on Windows is vulnerable to remote code execution. Recommendation Update to one of the follow versions, depending on the release line that you are using. - 1.0.4 - 2.0.2 - 3.1.2 - 4.2.2 - 5.0.2 - 6.0.0-next.a671462c References -...

Memory Exposure

Overview Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: js require'request' method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy: protocol: 'http:',...

Hijacked Environment Variables

Overview The mysqljs package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securit...

Hijacked Environment Variables

Overview The nodesqlite package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Downloads Resources over HTTP

Overview Affected versions of selenium-wrapper insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Cross-Site Scripting

Overview Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included. An attacker...

Regular Expression Denial of Service

Overview Versions of millisecond prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Proof of concept var ms = require'millisecond'; var genstr = function len, chr var result = ""; for i=0; i=len; i++ result = result ...

Cross-Site Scripting

Overview @progress/kendo-angular-editor before version 1.2.3 is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed. Adding the following content to the Editor value demonstrates the issue: . Recommendatio...

Cross-Site Scripting

Overview Versions of @toast-ui/editor prior to 2.2.0 are vulnerable to Cross-Site Scripting XSS. There are multiple bypasses to the package's built-in XSS sanitization. This may allow attackers to execute arbitrary JavaScript on a victim's browser. Recommendation Upgrade to version 2.2.0 or later...

Prototype Pollution

Overview Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument...

Cross-Site Scripting

Overview All versions of atlasboard-atlassian-package prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The package fails to properly sanitize user input that is rendered as HTML, which may allow attackers to execute arbitrary JavaScript in a victim's browser. This requires attackers bei...

Sandbox Breakout / Arbitrary Code Execution

Overview All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system. Recommendation The...