giting version prior to 0.0.8 allows execution of arbritary commands. The first argument repo of function pull() is executed by the package without any validation.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10802
https://github.com/MangoRaft…
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-26759…
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all o…
Recommendation
This package is working as intended. A Security section has been added since v0.6.1 to detail proper usage of this library. Npm has revoked their advisory altogether.
Original Advisory
All versions of html-pdf-chrome are vulnerable to Se…
Cross-site scripting (XSS) vulnerability in the DataTables plugin 1.10.8 and earlier for jQuery allows remote attackers to inject arbitrary web script or HTML via the scripts parameter to media/unit_testing/templates/6776.php.
Recommendation
Update to …
Versions of angular prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize xlink:href attributes, which may allow attackers to execute arbitrary JavaScript in a victim’s browser if the value is user-controlled.
Reco…
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
References
h…
The netaddr gem before 1.5.3 and 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-17383
https://github.com/dspinhir…
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib….
Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Recommendation
U…
