Remote Memory Exposure

Overview A buffer over-read vulnerability exists in bl 4.0.3, 3.0.1 2.2.1 and 1.2.3 which could allow an attacker to supply user input even typed that if it ends up in consume argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory v...

Command Injection

Overview Versions of bestzip prior to 2.1.7 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the zip function . This may allow attackers to execute arbitrary code in the system as long as the values of destination is...

Inadequate Encryption Strength

Overview In bcrypt npm package before version 5.0.0, data is truncated wrong when its length is greater than 255 bytes. Recommendation Upgrade to version 5.0.0 or later. References - https://nvd.nist.gov/vuln/detail/CVE-2020-7689 - https://github.com/kelektiv/node.bcrypt.js776 -...

Malicious Package

Overview fallguys contained malicious code that attempted to read local sensitive files and exfiltrate information through a Discord webhook. The code attempted to access the following paths available on Windows systems: - /AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb...

DOM-based XSS

Overview Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection. For Passwordless connection, the value of the input email or phone number is displayed back to the user while waiting for...

Regular Expression Denial of Service

Overview All versions of url-regex are vulnerable to a Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service. Recommendation There are no patches and the software is not currently maintained. The security researcher who found t...

Cross-Site Scripting

Overview @progress/kendo-angular-editor before version 1.2.3 is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed. Adding the following content to the Editor value demonstrates the issue: . Recommendatio...

Remote Code Execution

Overview serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". An object such as "foo": /1"/, "bar": "a"@R--0@" was serialized as "foo": /1"/, "bar": "a/1"/, which allows an attacker to escape the bar key. This...

Signature Malleability

Overview The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature. Recommendation...

Information Exposure

Overview Versions of auth0 before 2.27.1 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logg...

Remote Code Execution

Overview MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The...

Sensitive Data Exposure

Overview Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The package supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files. Recommendation Upgrade to version...

Sensitive Data Exposure

Overview Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files. Recommendation Upgrade to version 6.14....

Prototype Pollution

Overview Versions of json-logic-js prior to 2.0.0 are vulnerable to Prototype Pollution. The method operation allows a malicious user to modify the prototype of Object through the method property name. This causes modification of any existing property that will exist on all objects and leads to...

Improper Verification of Cryptographic Signature

Overview Versions of jsrsasignprior to 8.0.17 fail to properly verify cryptographic signatures. Its RSASSA-PSS RSA-PSS implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature it accepts these modified signatures as valid. An attacker can abuse th...

Improper Authorization

Overview Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated...

Remote Code Execution

Overview Versions of next prior to 5.1.0 are vulnerable to Remote Code Execution. The /path: route fails to properly sanitize input and passes it to a require call. This allows attackers to execute JavaScript code on the server. Recommendation Upgrade to version 5.1.0. References - Vulnerability...

Information Exposure

Overview Versions of apollo-server-lambda prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relatio...

Information Exposure

Overview Versions of apollo-server-micro prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relation...

Information Exposure

Overview Versions of apollo-server-koa prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations...

Information Exposure

Overview Versions of apollo-server-hapi prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations...

Information Exposure

Overview Versions of apollo-server-fastify prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their...

Information Exposure

Overview Versions of apollo-server-express prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their...

Information Exposure

Overview Versions of apollo-server-cloudflare prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their...

Information Exposure

Overview Versions of apollo-server-cloud-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Information Exposure

Overview Versions of apollo-server-core prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations...

Information Exposure

Overview Versions of apollo-server-cache-memcached prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Information Exposure

Overview Versions of apollo-server-azure-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Information Exposure

Overview Versions of apollo-server prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and...

Cross-Site Scripting

Overview Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove "" HTML tags that contain a whitespace character, i.e: "", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary...

Prototype Pollution

Overview Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided...

Cross-Site Scripting

Overview Versions of bootstrap-select prior to 1.13.6 are vulnerable to Cross-Site Scripting XSS. The package does not escape title values on tags. This may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 1.13.6 or later. References - GitHu...

Cross-Site Scripting

Overview Versions of @toast-ui/editor prior to 2.2.0 are vulnerable to Cross-Site Scripting XSS. There are multiple bypasses to the package's built-in XSS sanitization. This may allow attackers to execute arbitrary JavaScript on a victim's browser. Recommendation Upgrade to version 2.2.0 or later...

Path Traversal

Overview All versions of socket.io-file are vulnerable to Path Traversal. The package fails to sanitize user input and uses it to generate the file upload paths. The socket.io-file::createFile message contains a name option that is passed directly to path.join. It is possible to upload files to...

Cross-Site Scripting

Overview Versions of jquery prior to 3.5.0 are vulnerable to Cross-Site Scripting. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute arbitrary JavaScript in a victim's browser. Recommendation...

Command Injection

Overview All versions of git-tags-remote are vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This may allow attackers to execute arbitrary code in the system if the repo value passed to the function i...

Regular Expression Denial of Service

Overview Versions of papaparse prior to 5.2.0 are vulnerable to Regular Expression Denial of Service ReDos. The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of...

DLL Injection

Overview Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to...

Malicious 󠅮󠅰󠅭Package

Overview All versions of m-backdoor contain malicious code. The package downloads a file from a remote server and executes it as a preinstall script. At the time of the release of this advisory the downloaded file only defaces websites by removing elements randomly from the DOM. Recommendation...

Command Injection

Overview All versions of umount are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the umount function . This may allow attackers to execute arbitrary code in the system if the device value passed to the function is...

Prototype Pollution

Overview All versions of ini-parser are vulnerable to prototype pollution. The parse function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available...

Command Injection

Overview All versions of npm-programmatic are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the install, uninstall and list functions . This may allow attackers to execute arbitrary code in the system if the package name passe...

Prototype Pollution

Overview Affected versions of sds are vulnerable to prototype pollution. The set function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation Upgrade to version 4.0.0 or later...

Timing Attack

Overview Versions of jsrsasign are vulnerable to Timing Attacks. The signHex function uses a timing-unsafe method for ECDSA key generation and signing. This leaks the length of the scalar, which attackers may use to brute-force the private key. Timing attacks can be used to increase the efficienc...

Buffer Overflow

Overview Affected versions of node-weakauras-parser are vulnerable to a Buffer Overflow. The encodeweakaura function fails to properly validate the input size. A buffer of 13835058055282163711 bytes causes an overflow on 64-bit systems. Recommendation Upgrade to versions 1.0.5, 2.0.2, 3.0.1 or...

Path Traversal

Overview Versions of next prior to 9.3.2 are vulnerable to Path Traversal. The package failed to restrict access to arbitrary files inside the dist directory through specially-crafted HTTP requests. It is not possible to access files outside of the dist directory. Recommendation Upgrade to versio...

Prototype Pollution

Overview All versions of utils-extend are vulnerable to prototype pollution. The extend function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently...

Server-Side Request Forgery

Overview Versions of @uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery SSRF. The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of t...

Prototype Pollution

Overview Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument...

Command Injection

Overview Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are user-controlled...