Cross-Site Scripting (XSS)

Overview In affected versions of hellojs hello.js there is a cross-site scripting bug. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. It is possible to simply pass some XSS payloads into the url param oauthredirect, such as...

Regular Expression Denial of Service

Overview The GitHub Security Lab team has identified potential security vulnerabilities in jquery-validation. The project contains one or more regular expressions that are vulnerable to ReDoS Regular Expression Denial of Service Recommendation Upgrade to fixed version 1.19.3 or later References -...

Command Injection

Overview All versions of package ts-process-promises are affected by a command injection vulnerability. The injection point is located in line 45 in main entry of package in lib/process-promises.js. Recommendation Since there is currently no fix version, discontinue use of the ts-process-promises...

Prototype Pollution

Overview Overview Affected versions of immer are vulnerable to Prototype Pollution. Proof of exploit const applyPatches, enablePatches = require"immer"; enablePatches; let obj = ; console.log"Before : " + obj.polluted; applyPatches, op: 'add', path: "proto", "polluted" , value: "yes" ; //...

Command Injection in buns

Overview There is a command injection vulnerability in all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function installrequestedModule. Recommendation As there is no fixed version for buns and the package is marked deprecated, th...

Cross-site scripting in TinyMCE

Overview A cross-site scripting XSS vulnerability was discovered in the URL sanitization logic of the core parser of tinymce. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all...

Malicious Package

Overview All versions of jquerry contain malicious code. The index.js file appears to download and execute a crypto mining script. The file is not run upon installation - the package needs to be required or the index.js run manually. Recommendation Any computer that has this package installed or...

Malicious Package

Overview All versions of http-proxy-middelware contain malicious code. The index.js file attempts to download a file from a remote server and execute it. The file is not run upon installation - the package needs to be required or the index.js run manually. The package contains a typo in its code...

Malicious Package

Overview From https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hspreview=BbDPGbfh-40737456755: The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security...

Malicious Package

Overview From https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hspreview=BbDPGbfh-40737456755: The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security...

Malicious Package

Overview From https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hspreview=BbDPGbfh-40737456755: The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security...

Hostname spoofing via backslashes in URL

Overview URI.js is a javascript URL mutation library npm package urijs. In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash \ character followed by an at @ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library...

Server-Side Request Forgery

Overview The axios NPM package before 0.21.1 contains a Server-Side Request Forgery SSRF vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. Recommendation Upgrade to 0.21.1 or later. References - Github...

Password stored in plain text

Overview parse-server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication ...

Regular Expression Denial of Service

Overview date-and-time is a package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. Recommendation Upgrade to version version 0.14.2 or later. References - GitHub Advisor...

Cross-Site Scripting

Overview Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. Recommendation Upgrade to version 2.0.17 or...

Command Injection

Overview There is a command injection vulnerability in systeminformation which allows for injection of commands to the command line of your machine. Affected commands: inetLatency. The problem was fixed by sanitizing the shell string. Recommendation Upgrade to version 4.31.1 or later. References ...

Prototype Pollution

Overview ini before version 1.3.6 has a Prototype Pollution vulnerability. Impact If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. Patches This h...

Regular Expression Denial of Service

Overview fast-csv and @fast-csv/parse before version 4.3.6 has a possible ReDoS vulnerability Regular Expression Denial of Service when using ignoreEmpty option when parsing. Impact You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is...

Regular Expression Denial of Service

Overview fast-csv and @fast-csv/parse before version 4.3.6 has a possible ReDoS vulnerability Regular Expression Denial of Service when using ignoreEmpty option when parsing. Impact You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is...

Cross-Site Scripting bypass

Overview All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. Recommendation No fix is currently available. Consider using an alternative package until a fix is...

Malicious Package

Overview The package db-json.js contained malicious code. The package had jdb.js as a dependency and would execute the same malware as described in https://www.npmjs.com/advisories/1584. Recommendation Any computer that has this package installed or running should be considered fully compromised...

Malicious Package

Overview The package jdb.js contained malicious code. The package ran a postinstall script and contained a dropper for the njRAT/Bladabindi Remote Access Trojan. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys...

Improper Key Verification

Overview An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation. Recommendation Version 2.0.0 has the fix. The recommendation is to upgrade. In case that is not possible remove the...

Secret disclosure

Overview Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Recommendation Upgrade to version 17.2.3 or later References - https://github.com/advisories/GHSA-r2j6-p67h-q639...

Malicious Package

Overview The package xpc.js contained malicious code. The package ran a postinstall script that executes two.exe files containing Trojan malware. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview The package discord.app contained malicious code. The package ran a postinstall script that executed an.exe file containing Trojan malware. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview The package wsbd.js contained malicious code. The package ran a postinstall script that executed an.exe file containing Trojan malware. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Malicious Package

Overview The package ac-addon contained malicious code. The package ran a postinstall script that executed two .exe files. Both files were identified to contain Trojan malware. Recommendation Remove the package from your system and rotate any credentials that may have been compromised. References...

Malicious Package

Overview The package discord.dll contained malicious code. The package ran a postinstall script that exfiltrated local files such as browser local databases. The information was exfiltrated to a remote Discord webhook. Recommendation Remove the package from your system and rotate any credentials...

Cross-Site Scripting in scratch-svg-renderer

Overview This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the transformMeasurements function. Recommendation Upgrade to version...

Malicious Package

Overview twilio-npm opened a reverse shell to a remote server as a postinstall script. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different compute...

Prototype Pollution

Overview A prototype pollution vulnerability has been found in object-path = 0.11.0 is used, which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating...

Regular Expression Denial of Service

Overview npm-user-validate before version 1.0.1 is vulnerable to a Regular Expression Denial of Service REDos. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. Impact The issue affects the email function. If you use this...

Malicious Package

Overview All versions of nodetest199 contain malicious code. Upon installation the package opens a shell to a remote server. The package affects both Windows and nix systems. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets...

Malicious Package

Overview All versions of nodetest1010 contain malicious code. Upon installation the package opens a shell to a remote server. The package affects both Windows and nix systems. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secret...

Malicious Package

Overview All versions of plutov-slack-client contain malicious code. Upon installation the package opens a shell to a remote server. The package affects both Windows and nix systems. Recommendation Any computer that has this package installed or running should be considered fully compromised. All...

Malicious Package

Overview All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually. Recommendation Remove the package from your environment and...

Sensitive data exposure in NATS

Overview Preview versions of two NPM packages and one Deno package from the NATS project contain an information disclosure flaw, leaking options to the NATS server; for one package, this includes TLS private credentials. The connection configuration options in these JavaScript-based implementatio...

Command Injection

Overview Insufficient input validation in npm package jison = 0.4.18 may lead to OS command injection attacks. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available. References - https://github.com/advisories/GHSA-vr9x-mm65-2438...

Open Redirect

Overview Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain...

File restriction bypass in socket.io-file

Overview All versions of socket.io-fileare vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types. Recommendation No...

Malicious Package

Overview loadyaml was removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: - IP and IP-based geolocation - home directory name - local username Recommendatio...

Malicious Package

Overview electorn was removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: - IP and IP-based geolocation - home directory name - local username Recommendatio...

Prototype Pollution in node-forge

Overview The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. Recommendation Upgrade to version 0.10.0 or later. References -...

Universal XSS in Android WebView

Overview A universal cross-site scripting UXSS vulnerability, CVE-2020-6506 https://crbug.com/1083819, has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native...

Malicious Package

Overview All versions of nagibabel contained malicious code. The package ran rm -rf on the current working directory. Recommendation Remove the package from your environment...

Sensitive Data Exposure

Overview Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after...

Authorization Bypass

Overview When access rules are used inside a protected host, some URL encodings may bypass filtering system. Recommendation Upgrade to version 0.5.2. References - https://github.com/advisories/GHSA-x44x-r84w-8v67 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290...

Denial of Service

Overview Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are...