36451 matches found
Malicious Package
Overview ts-numbering is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview local-ip-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview libsignal-node-travatiger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview datacamp-light is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview chai-as-uphelded is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview chai-as-attested is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the process that creates and forwards ServiceAccount tokens to output destinations without verifying the authorization of the creator. An attacker can gain unauthorized access to sensitive credentials by...
Malicious Package
Overview node-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview ts-wross is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview node-core-libs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview node-fetch-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview crud-respect is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview carousel-controller-mixin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview respects-switch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview setka-editor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview onboarding-respects-modal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview search-from-search is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
CSV Injection
Overview @actual-app/api is an An API for Actual Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering...
CSV Injection
Overview @actual-app/web is an Actual on the web Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering...
CSV Injection
Overview @actual-app/cli is a CLI for Actual Budget Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering...
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering characters. An attacker can cause...
Server-side Request Forgery (SSRF)
Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the outboundFetch process. An attacker can access internal network resources and retrieve sensitive information b...
Symlink Attack
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Symlink Attack via the processPWAZip process. An attacker can access sensitive files on the server by uploading a crafted zip archive containing symbolic links that point to arbitrary files, whi...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the externalTrigger process. An attacker can gain unauthorized access to another workspace's database and execu...
Insufficient Session Expiration
Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Insufficient Session Expiration due to the lack of user status verification in the validateSession process. An attacker can maintain unauthorized access to server endpoints and sensiti...
Missing Authorization
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Missing Authorization via the getSignedUploadURL process. An attacker can gain unauthorized access to generate AWS S3 pre-signed PUT URLs using stored IAM credentials by sending unauthenticated...
Deserialization of Untrusted Data
Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ensurepip.runpip function. An attacker can execute arbitrary code by crafting malicious pickle files...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the recordSelectOptionsQuery method. An attacker can bypass intended access restrictions by tampering with the Livewire component's state and submitting out-of-scope values in the Sele...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect in the normalization of the HTTP Location header during redirects. An attacker can redirect users to an arbitrary external site by supplying specially crafted input containing ASCII tab, carriage return, or newline...
Deserialization of Untrusted Data
Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the idlelib.autocomplete.AutoComplete.getentity function. An attacker can execute arbitrary commands by...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ImageColumn or ImageEntry components rendering raw database values without escaping HTML. An attacker can execute arbitrary HTML or JavaScript in the context of affected users by injecting malicious...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ImageColumn or ImageEntry components rendering raw database values without escaping HTML. An attacker can execute arbitrary HTML or JavaScript in the context of affected users by injecting malicious...
Missing Authorization
Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Missing Authorization through the WithFileUploads trait. An attacker can upload arbitrary files to temporary storage by submitting...
Timing Attack
Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Timing Attack via the login page. An attacker can determine whether specific email addresses are registered by measuring response tim...
Improper Enforcement of Behavioral Workflow
Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Improper Enforcement of Behavioral Workflow through the improper handling of recovery codes in app-based multi-factor authentication...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the RichEditor field when it is disabled, as its state is rendered without sanitizing HTML content. An attacker can execute arbitrary HTML or JavaScript in the context of users viewing the form by injecting...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the reloadNuxtApp function. An attacker can redirect users to attacker-controlled hosts by injecting protocol-relative paths such as //evil.com, potentially enabling phishing attacks or theft of OAuth authorization...
Open Redirect
Overview org.webjars.npm:nuxt is a Affected versions of this package are vulnerable to Open Redirect via the reloadNuxtApp function. An attacker can redirect users to attacker-controlled hosts by injecting protocol-relative paths such as //evil.com, potentially enabling phishing attacks or theft ...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the navigateTo open option. An attacker can execute arbitrary scripts in the application's origin by supplying a crafted open parameter containing a script-capable URL. Details Cross-site scripting or XSS is...
Cross-site Scripting (XSS)
Overview org.webjars.npm:nuxt is a Affected versions of this package are vulnerable to Cross-site Scripting XSS via the navigateTo open option. An attacker can execute arbitrary scripts in the application's origin by supplying a crafted open parameter containing a script-capable URL. Details...
Missing Authorization
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Missing Authorization via the getSignedUploadURL process. An attacker can perform unauthorized arbitrary object uploads to S3 buckets by sending crafted requests to the unauthenticated endpoint,...
Cross-site Request Forgery (CSRF)
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the handoffChatLinkSession process. An attacker can gain unauthorized access to another user's account by crafting a malicious link containing their own...
Improper Handling of Length Parameter Inconsistency
Overview zeroconf is a Pure Python Multicast DNS Service Discovery Library Bonjour/Avahi compatible Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the readcharacterstring and readstring functions. An attacker can inject malicious...
Cross-site Scripting (XSS)
Overview org.webjars.npm:devbridge-autocomplete is an Autocomplete provides suggestions while you type into the text field. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the formatGroup and formatResult functions. An attacker can inject and execute arbitrary HTM...
Cross-site Scripting (XSS)
Overview devbridge-autocomplete is an Autocomplete provides suggestions while you type into the text field. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the formatGroup and formatResult functions. An attacker can inject and execute arbitrary HTML or JavaScript...
Prototype Pollution
Overview scim-patch is a SCIM Patch operation rfc7644. Affected versions of this package are vulnerable to Prototype Pollution via the scimPatch function. An attacker can modify the Object.prototype by supplying specially crafted keys in a patch operation, which can lead to privilege escalation,...
Cleartext Storage of Sensitive Information
Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to storing sensitive enrollment tokens in plaintext within the enrollmenttokens.token column of the database. An attacker can gain unauthorized access to host identities by reading the...