Prototype Pollution

Overview Prototype pollution vulnerability in set-in versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 2.0.1 or later. References - GitHub Advisory - CVE...

Regular Expression Denial of Service

Overview There is a regular expression denial-of-service in schema-inspector. Impact Email address validation is vulnerable to a denial-of-service attack where some input for example a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. will freeze the program...

Command Injection

Overview Impact Anyone using shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a null character into the payload. For example on Windows: javascript const cp = require"childprocess"; const shescape = require"shescape"; con...

Prototype Pollution

Overview y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution. POC const y18n = require'y18n'; y18n.setLocale'proto'; y18n.updateLocalepolluted: true; console.logpolluted; // true Recommendation Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later References - CVE - Snyk...

Exposure of internal HTTP resources

Overview In highcharts-export-server before version 2.1.0 there is a vulnerability that allows exposure of internal HTTP resources. Impact The vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export...

Improper Neutralization of Special Elements used in a Command

Overview In madge before version 4.0.1 it is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image, .svg or .dot functions are called, is executed by the childprocess.exec function. Recommendation Upgrade to version 4.0.1 or later References - GitH...

Prototype Poisoning

Overview Impact When msgpack5 decodes a map containing a key "proto", it assigns the decoded value to proto. As you are no doubt aware, Object.prototype.proto is an accessor property for the receiver's prototype. If the value corresponding to the key proto decodes to an object or null, msgpack5...

Misinterpretation of malicious XML input

Overview Impact xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Workarounds...

Prototype Pollution

Overview In mquery before version 3.2.3 there is a prototype pollution vulnerability because a special property e.g., proto can be copied during a merge or clone operation. Recommendation Upgrade to version 3.2.3 or later References - CVE - GitHub Advisory...

Use of a Broken or Risky Cryptographic Algorithm

Overview elliptic before version 6.5.4 is vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the...

Improper Authentication

Overview In affected versions of botframework-connector, a maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot. Recommendation Upgrade to fi...

Sandbox Breakout

Overview In matrix-react-sdk before version 3.15.0 the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so messages and secrets are not at risk. Recommendation Upgrade to version 3.15...

Prefix escape

Overview In fastify-http-proxy before version 4.3.1, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is...

Remote Code Execution

Overview Impact In affected versions of pug and pug-code-gen, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remot...

Remote Code Execution

Overview Impact In affected versions of pug and pug-code-gen, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remot...

Prefix escape

Overview In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is...

Regular Expression Denial of Service

Overview Impact @progfay/scrapbox-parser before 6.0.3 and 7.0.2 are vulnerable to Regular Expression Denial of Service ReDoS in DecorationNode, StrongNode and ExternalLinkNode. An attacker may be able to craft text which causes the application to consume an excessive amount of CPU. Recommendation...

Hostname spoofing via backslashes in URL

Overview Impact urijs before version 1.19.6 is affected by hostname spoofing issue. If using urijs to determine a URL's hostname, the hostname can be spoofed by using a backslash \ character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, th...

Regular Expression Denial of Service

Overview three before version 0.125.0 is vulnerable to Regular Expression Denial of Service ReDoS. This can happen when handling rgb or hsl colors. POC var three = require'three' function buildblank n var ret = "rgb" for var i = 0; i n; i++ ret += " " return ret + ""; var Color = three.Color var...

Regular Expression Denial of Service

Overview prismjs versions before 1.23.0 are vulnerable to Regular Expression Denial of Service ReDoS via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. Recommendation Upgrade to version 1.23.0 or later References - Snyk Advisory - GitHub Advisory - CVE...

Cross-Site Scripting (XSS)

Overview In docsify before version 4.12.0 it is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods: - When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in...

Server-Side Request Forgery

Overview rendertron prior to version 3.0.0 is susceptible to a Server-Side Request Forgery SSRF attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Recommendation Upgrade t...

Prototype Pollution

Overview Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. Workarounds A workaround is to...

Prototype Override

Overview Affected versions of querystringify are vulnerable to Prototype Override. If a malicious string is inserted in the query string, it will set the tostring method of the object to the true boolean. Recommendation Upgrade to version 2.0.0 or later References - WhiteSource Advisory - Snyk...

Regular Expression Denial of Service

Overview Affected versions of nwmatcher are vulnerable to Regular Expression Denial of Service ReDoS. This can cause an impact of about 10 seconds matching time for data 2k characters long. Recommendation Upgrade to version 1.4.4 or later References - WhiteSource Advisory - Snyk Advisory - GitHub...

Regular Expression Denial of Service

Overview A Regular Expression Denial of Service vulnerability was discovered in esm. The issue is that esm's find-indexes is using the unescaped identifiers in a regex, which, in this case, causes an infinite loop. Recommendation Upgrade to version 3.1.0 or later References - WhiteSource Advisory...

Regular Expression Denial of Service

Overview Affected versions of diff are vulnerable to Regular Expression Denial of Service ReDoS. This can cause an impact of about 10 seconds matching time for data 48K characters long. Recommendation Upgrade to 3.5.0 or later. References - WhiteSource Advisory - Snyk Advisory - GitHub Advisory...

Cross-Site Scripting (XSS)

Overview Affected versions of angular are vulnerable to JSONP Callback Attack. JSONP JSON with padding is a method used to request data from a server residing in a different domain than the client. Any url could perform JSONP requests, allowing full access to the browser and the JavaScript contex...

Command Injection

Overview The systeminformation package is an open source collection of functions to retrieve detailed hardware, system and OS information. In affected versions of systeminformation there is a command injection vulnerability. As a workaround instead of upgrading, be sure to check or sanitize servi...

Token Verification Bug

Overview Impact next-auth implementations using the Prisma database adapter with the Email provider are impacted. Implementations using the Prisma database adapter that are not using the Email provider are not impacted. Implementations using the default database adapter TypeORM with the Email...

Command Injection

Overview Affected versions of the samba-client package allow command injection because of the use of process.exec. Recommendation Upgrade to version 4.0.0 or later References - CVE - GitHub Advisory...

Cross-Site Scripting (XSS)

Overview apexcharts is a modern JavaScript charting library to build interactive charts and visualizations with simple API. Affected versions of this package are vulnerable to Cross-site Scripting XSS via lack of sanitization of graph legend fields. Recommendation Upgrade to version 3.24.0 or...

Directory Traversal

Overview Impact Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR. Background When windows separators exist within the path , path.resolve leaves the upper pointers intact an...

Regular Expression Denial of Service

Overview In affected versions of marked, a Denial of Service attack can affect anyone who processes user generated code. Recommendation Upgrade to version 2.0.0 or later References - GitHub Advisory - CVE...

Open Redirect

Overview Slashify is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/ to bookings/latest. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes or two backslashes, ...

Command Injection

Overview There is a command injection vulnerability in affected versions of total.js. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is calle...

Prototype Pollution

Overview A prototype pollution vulnerability in affected versions of 'dotty' allows attackers to cause a denial of service and may lead to remote code execution. Recommendation Update to version 0.1.1 or later References - GitHub Advisory - CVE...

Denial of Service

Overview Impact Some regexes are vulnerable to regular expression denial of service REDoS due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTPS request to maliciously crafted long strings. Patches Please update uap-core t...

Remote Code Execution

Overview Affected versions of angular-expressions are affected by a remote code execution vulnerability. Impact If you call expressions.compileuserControlledInput where userControlledInput is text that comes from user input you are potentially impacted. The security of the package could be bypass...

Regular Expression Denial of Service

Overview In affected versions of @ckeditor/ckeditor5-markdown-gfm a regular expression denial of service ReDoS vulnerability has been discovered. Impact The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browse...

Arbitrary JavaScript Execution

Overview In affected versions of less-openui5 processing untrusted theming resources might execute arbitrary code. Impact When processing theming resources i.e. .less files with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be...

IPC messages delivered to the wrong frame

Overview IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: - Uses...

OS Command Injection

Overview Affected versions of the async-git package allow OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. Recommendation Upgrade to version 1.13.2 or later. References - CVE - GitHub Advisory...

Path Traversal

Overview In Node-RED-Dashboard before 2.26.2 there is a path traversal vulnerability. In /nodes/uibase.js, the URL is matched with '/uibase/js/' and then passed to path.join. The lack of verification of the final path leads to a path traversal vulnerability. Recommendation Upgrade to fix version...

Command Injection

Overview Affected versions of @graphql-tools/git-loader package are vulnerable to Command Injection. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. Recommendation Upgrade to fix version 6.2.6 or later References - Snyk Advisory - CVE -...

Cross-Site Request Forgery (CSRF)

Overview Affected versions of the fastify-csrf package are vulnerable to Cross-site Request Forgery CSRF. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: path: '/', sameSite: true . Also, the CSRF token was available in the GET query parameter...

Prototype Pollution

Overview In Dynamoose versions 2.0.0-2.6.0 there was a prototype pollution vulnerability in the internal utility method lib/utils/object/set.ts. This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being...

Insecure Default Configuration

Overview Affected versions of socket.io are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default. Recommendation Update to version 2.4.0 or later. References - GitHub Advisory - Snyk Advisory...

Prototype Pollution

Overview There is a prototype pollution vulnerability in gsap which affects all versions before 3.6.0. Recommendation Upgrade to 3.6.0 or later References - GitHub Advisory - Snyk Advisory...

Prototype Pollution

Overview Affected versions of jointjs are vulnerable to Prototype Pollution via util.setByPath. The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution. Recommendation Update to fixed version 3.3.0 or later References - GitHub Adviso...