GitHub

[@ianwalter/merge] Prototype pollution in @ianwalter/merge

Posted inUncategorized
Posted byGitHub
07/26/202207/27/2022

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. @ianwalter/merge is deprecated and the maintainer suggests using @generates/merger instead.
References

https://nvd.nist.gov/vuln/detail/CVE-2…

[node-import] node-import `params` argument can be controlled by users without any sanitization

This affects all versions of package node-import. The params argument of module function can be controlled by users without any sanitization. This is then provided to the “eval” function located in line 79 in the index file index.js.
References

https:…

[js-ini] js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
Referenc…

[snyk-broker] snyk-broker Path Traversal before v4.73.0

This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk’s internal network via directory traversal.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-7649
https://github.com/snyk/broker/commi…

[joplin] Joplin is vulnerable to arbitrary code execution

Posted inUncategorized
Posted byGitHub
07/26/202207/30/2022

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-35131
https://github.com/laurent22/joplin/releases/tag/v2.9.1
https://github.com/ly1…

[mistune] Mistune v2.0.2 vulnerable to catastrophic backtracking

Posted inUncategorized
Posted byGitHub
07/26/202207/30/2022

In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
References

https://nvd.nist…

[microweber/microweber] Microweber Stored Cross-site Scripting before v1.2.20

Posted inUncategorized
Posted byGitHub
07/23/202208/03/2022

Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2495
https://github.com/microweber/microweber/commit/d35e691e72d358430abc8e99f5ba9eb374423b9f
https://huntr.de…

[github.com/caddyserver/caddy] Out-of-bounds Read can lead to client side denial of service

Posted inUncategorized
Posted byGitHub
07/23/202207/29/2022

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) on the client side via a crafted URI.
According to the maintainer, the bug only affects the clien…

[microweber/microweber] Microweber before 1.2.21 vulnerable to reflected XSS

Posted inUncategorized
Posted byGitHub
07/23/202207/28/2022

Microweber prior to 1.2.21 is vulnerable to reflected cross-site scripting (XSS).
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2470
https://github.com/microweber/microweber/commit/d28655183800b833abb20ccd55e1628f16ff65e4
https://huntr.dev/boun…

[prestashop/prestashop] Duplicate Advisory GHSA-hrgx-p36p-89q4

Duplicate Advisory
This advisory is a duplicate of GHSA-hrgx-p36p-89q4. This link is maintained to preserve external references.
Original Description
PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, ak…

Underground News

Featured

[github.com/sigstore/cosign] cosign’s `cosign verify-attestaton –type` can report a false positive if any attestation exists

[github.com/sigstore/policy-controller] PolicyController before 0.2.1 may bypass attestation verification

[nbconvert] nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths

[owning_ref] owning_ref vulnerable to multiple soundness issues