Prototype Pollution

Overview Versions of lodash.merge before 4.6.2 are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all objects...

Prototype Pollution

Overview Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all objects...

Malicious Package

Overview All versions of tiar contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview All versions of secureidentityloginmodule contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and ke...

Malicious Package

Overview All versions of river-mock contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on th...

Malicious Package

Overview All versions of retcodelog contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on th...

Malicious Package

Overview All versions of qingting contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview All versions of node-buc contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview All versions of midway-xtpl contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Malicious Package

Overview All versions of midway-dataproxy contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored...

Malicious Package

Overview All versions of luna-mock contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on tha...

Malicious Package

Overview All versions of hsf-clients contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Malicious Package

Overview All versions of hpmm contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview All versions of diamond-clien contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Malicious Package

Overview All versions of cicada-render contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Malicious Package

Overview All versions of appx-compiler contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Malicious Package

Overview All versions of antd-cloud contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on th...

Malicious Package

Overview All versions of alipayjsapi contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Malicious Package

Overview All versions of alico contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview All versions of ali-contributors contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored...

Malicious Package

Overview All versions of ali-contributor contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored ...

Malicious Package

Overview All versions of only-test-not-install contain malicious code. The package deletes the folder /test from the system as a postinstall script. Recommendation Remove the package from your environment. There are no further signs of compromise. References GitHub Advisory...

Malicious Package

Overview All versions of my-very-own-package contain malicious code. The package sends the output of process.versions, process.arch and process.platform to a remote server in a postinstall script. Recommendation Remove the package from your environment. There are no further signs of compromise...

Malicious Package

Overview All versions of maybemaliciouspackage contain malicious code. The package prints the system's SSH keys to the console as a postinstall script. Recommendation Remove the package from your environment. There are no further signs of compromise. References GitHub Advisory...

Malicious Package

Overview Versions 0.1.2 and 0.1.3 of leetlog contain malicious code. The package adds an arbitrary hardcoded SSH key identified as hacker@evilmachine to the system's authorizedkeys Recommendation Any computer that has this package installed or running should be considered fully compromised. All...

Malicious Package

Overview All versions of malicious-do-not-install contain malicious code. The package copies the contents of /etc/passwd and /etc/shadow to files in the local /tmp/ folder. Recommendation Remove the package from your environment and rotate affected credentials. References GitHub Advisory...

Reverse Tabnabbing

Overview Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks. Recommendation No fix is currently...

Cross-Site Scripting

Overview All versions of takeapeek are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available...

Path Traversal

Overview Versions of restify-swagger-jsdoc prior to 3.2.1 are vulnerable to Path Traversal. The package fails to properly sanitize URLs, which may allow attackers to access server files outside the swagger-ui folder by using relative paths. Recommendation Upgrade to version 3.2.1 or later...

Cross-Site Scripting

Overview Versions of jquery.json-viewer prior to 1.3.0 are vulnerable to Cross-Site Scripting XSS. The package insufficiently sanitizes user input when creating links, and concatenates the user input in an tag. This allows attackers to create malicious links with JSON payloads such as: "foo":...

Undefined Behavior

Overview Versions of zencashjs prior to 1.2.0 may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction P2PKH or P2SH. Due to the base58 addre...

Cross-Site Scripting

Overview All versions of bleach are vulnerable to Cross-Site Scripting. It is possible to bypass the package's HTML sanitization with payloads such as "scriptalert'xss';script" regardless of the passed options. This may allow attackers to execute arbitrary JavaScript in the victim's browser...

Sandbox Breakout / Arbitrary Code Execution

Overview All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload chaining a function's callee and caller constructors can escape the sandbox and execute arbitrary code. For example, the payload = const targetKey = Object.keysthis0;...

Prototype Pollution

Overview Versions of deeply prior to 1.0.1 are vulnerable to Prototype Pollution. The package fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. Recommendation...

Open Redirect

Overview Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later. References - Snyk Report - GitHub Commit -...

Cross-Site Scripting

Overview All versions of graylog-web-interface are vulnerable to Cross-Site Scripting XSS. The package fails to escape output on the TypeAhead and QueryInput components, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation No fix is currently available...

Path Traversal

Overview Affected versions of total.js are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files outside the /public folder by using relative paths. The files served are limited to these file types: flac, jpg, jpeg, png, gif, ico, js, css,...

Path Traversal

Overview Versions of zero prior to 1.0.6 are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files by using relative paths when fetching files. Recommendation Upgrade to version 1.0.6 or later. References GitHub Advisory...

Cross-Site Scripting

Overview All versions of eco are vulnerable to Cross-Site Scripting XSS. The package's default escape implementation fails to escape single quotes, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation No fix is currently available. Consider using an...

Cross-Site Scripting

Overview Versions of @ionic/core prior to 4.0.3, 4.1.3, 4.2.1 or 4.3.1 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. This issue affects the...

Malicious Package

Overview Versions of rpc-websocket = 0.7.6 contained malicious code. The package opens a backdoor to a remote server and executes arbitrary commands, effectively acting as a backdoor. Recommendation Any computer that has these versions of the package installed or running should be considered full...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of safer-eval prior to 1.3.4 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. For example, evaluating he string console.constructor.constructor'return process'.env prints...

Command Injection

Overview Versions of local-devices prior to 3.0.0 are vulnerable to Command Injection. The package does not validate input on ip addresses and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. Recommendation Upgrade to version 3.0.0 or later. References ...

Path Traversal

Overview Versions of serve-here.js prior to 1.2.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation Upgrade to version 1.2.0 or later. References - HackerOne Report...

SQL Injection

Overview Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation If you are using sequelize 5.x, upgrade to...

SQL Injection

Overview Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 3.35.1 or later. References...

Cross-Site Scripting

Overview Versions of @berslucas/liljs prior to 1.0.2 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation Upgrade to version 1.0.2 or...

Arbitrary Code Execution

Overview Versions of require-node prior to 1.3.4 for 1.x and 2.0.4 for 2.x are vulnerable to Arbitrary Code Execution. The package fails to sanitize requests to the require-node endpoint, allowing attackers to execute arbitrary code in the server through the injection of OS commands in the reques...

Prototype Pollution

Overview Versions of assign-deep prior to 1.0.1 are vulnerable to Prototype Pollution. The assign function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects...

Prototype Pollution

Overview Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all...