GitHub

[deferred-exec] deferred-exec Command Injection vulnerability

A command injection vulnerability affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28438
https://security.snyk.io/vuln/SNYK-JS-DEFERRE…

[google-cloudstorage-commands] google-cloudstorage-commands Command Injection vulnerability

A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28436
https://github.com/samradical/google-cloudstorage-commands/blob/master/index.js%2…

[conf-cfg-ini] conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
Re…

[js-ini] js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
Referenc…

[@ianwalter/merge] Prototype pollution in @ianwalter/merge

Posted inUncategorized
Posted byGitHub
07/26/202207/27/2022

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. @ianwalter/merge is deprecated and the maintainer suggests using @generates/merger instead.
References

https://nvd.nist.gov/vuln/detail/CVE-2…

[markdown-it-toc] markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped

This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28455
https://security.snyk.io/vuln/SNYK-JS-MARKDOWNITTOC-1044067…

[otp-generator] otp-generator before v3.0.0 insecurely generates random one-time passwords

The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-23451
https://github.com/M…

[ion-parser] ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`

This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
Refer…

[xopen] xopen is vulnerable to OS Command Injection in Exported Function xopen(filepath)

A command injection vulnerability affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath).
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28447
https://security.snyk.i…

[sonar-wrapper] sonar-wrapper Command Injection vulnerability

A command injection vulnerability affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28443
https://security.snyk.io/vuln/SNYK-JS-SONARWRAPPER-105098…

Underground News

Featured

[github.com/sigstore/cosign] cosign’s `cosign verify-attestaton –type` can report a false positive if any attestation exists

[github.com/sigstore/policy-controller] PolicyController before 0.2.1 may bypass attestation verification

[nbconvert] nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths

[owning_ref] owning_ref vulnerable to multiple soundness issues