36127 matches found
Malicious Package
Overview react-icon-svgs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Overview Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity Expansion' through the processing of a deeply nested ASN.1 structure. An attacker can cause a stack overflow and disrupt service availability by sending specially...
Malicious Package
Overview ai-node-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ai-node-relay is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview prism-silq is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview hexo-shoka-swiper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview hexo-deployer-wrangler is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of text/vnd.mermaid output during the HTML export process. An attacker can execute arbitrary JavaScript in the context of a user's browser by convincing a user to view a maliciously...
Cleartext Transmission of Sensitive Information
Overview apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the FTPSHook.getconn process not invoking protp, resulting in the data channel being...
Cleartext Transmission of Sensitive Information
Overview apache-airflow-providers-ftp is a Provider package apache-airflow-providers-ftp for Apache Airflow Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information. due to the FTPSHook.getconn process not invoking protp, resulting in the data channel...
Malicious Package
Overview wao is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview vxui-react is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview tw-style-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview pump-laserstream-parser is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview pino-zod is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview pump-stream-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview zod-pino is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview ttal2ttml is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview kdrive-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview analysis-chart is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview theme-color-picker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview package-uploader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ref-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview ts-opus is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
DNS Rebinding
Overview Affected versions of this package are vulnerable to DNS Rebinding in dns.lookup lib/dns.js and lookupAndConnect lib/net.js, which forward a hostname containing an embedded NUL byte to the native resolver bindings where the C string is truncated at the first NUL. An attacker can cause an...
Exposure of Private Personal Information to an Unauthorized Actor
Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in the ProxyConfig constructor in lib/internal/http.js, which stores the full proxy URL including any embedded username and password and surfaces it in ERRPROXYTUNNEL err...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the node:http2 client's ORIGIN frame handling, which places no limit on the number of ORIGIN frames a server may send. An attacker operating a malicious or compromised HTTP/2 serve...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation in TLSSocket.prototype.setSession lib/internal/tls/wrap.js, which reuses a cached TLS session for a connection with a different servername without re-verifying the server's certificate against the new hos...
Improper Handling of Unicode Encoding
Overview Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the checkServerIdentity function in lib/tls.js, which does not normalize an internationalized hostname to ASCII before matching it against certificate names. An attacker presenting a certificate...
Integer Overflow or Wraparound
Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the WebCrypto cipher output length calculation in src/crypto/cryptoaes.cc, where datalen + blockSize + taglen is computed as a signed int before being passed to OpenSSL. An attacker can abort the proces...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the Server.prototype.addContext method of lib/internal/tls/wrap.js, which builds the server name matching regular expression without the case-insensitive flag. An attacker can evade the TLS conte...
Incorrect Default Permissions
Overview Affected versions of this package are vulnerable to Incorrect Default Permissions in the futimes function of lib/internal/fs/promises.js, which backs FileHandle.utimes and performs no file system permission check. An attacker who can execute code in a process running under the Permission...
Malicious Package
Overview wellnpm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Cross-site Scripting (XSS)
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the page editor process. An attacker can execute arbitrary scripts and potentially gain system access by injecting...
Deserialization of Untrusted Data
Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the idlelib.pyshell.ModifiedInterpreter.runcode process. An attacker can execute arbitrary commands by...
Race Condition
Overview Affected versions of this package are vulnerable to Race Condition through the proxyCSSRewriter process. An attacker can cause the application to crash by triggering concurrent access to shared resources, resulting in a denial of service. Remediation Upgrade...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the LinkCheck process due to incomplete validation of IPv6 transition mechanisms. An attacker can access internal network resources by submitting specially crafted requests that exploit the insufficie...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Webhook URL handling process. An attacker can access internal network resources or sensitive endpoints by supplying a crafted URL. Remediation There is no fixed version for...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack via the file processing mechanism. An attacker can write arbitrary files to the filesystem by exploiting a case-insensitive bypass and missing checks for HardLink/SymLink tags. Remediation There is no fixed version for...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack via the file processing mechanism. An attacker can write arbitrary files to the filesystem by exploiting a case-insensitive bypass and missing checks for HardLink/SymLink tags. Remediation Upgrade...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the PATCH process for public shares. An attacker can access or modify files outside the intended shared directory by crafting malicious requests that exploit improper path validation. Details A Directory Traversa...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal through the dump process when handling attacker-controlled message IDs via the --http interface. An attacker can write arbitrary files to the filesystem by supplying crafted message IDs that exploit path traversal...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the authentication process when using Basic Auth with LDAP. An attacker can bypass intended authentication controls by supplying usernames with different letter casing, potentially gaining...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the authentication process when using Basic Auth with LDAP. An attacker can bypass intended authentication controls by supplying usernames with different letter casing, potentially gaining...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the HTML processing component due to a missing IP-filter dialer. An attacker can access internal network resources by crafting malicious HTML content that triggers requests to private, loopback, or IM...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the authentication process when using Basic Auth with LDAP. An attacker can bypass intended authentication controls by supplying usernames with different letter casing, potentially gaining...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the HTML processing component due to a missing IP-filter dialer. An attacker can access internal network resources by crafting malicious HTML content that triggers requests to private, loopback, or IM...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure in the process handling Gateway resources when the konghq.com/gatewayclass-unmanaged: 'true' annotation is missing. An attacker can access TLS secrets from other namespaces by creating or modifying Gateway resources...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the redirect parameter. An attacker can redirect users to arbitrary external sites by crafting a malicious URL. Remediation There is no fixed version for github.com/casdoor/casdoor/object. References - Go Advisory...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the authentication process when using Basic Auth with LDAP. An attacker can bypass intended authentication controls by supplying usernames with different letter casing, potentially gaining...