#js

A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual `<script>` element. If an attacker injected an HTML element such as: ``` <img name="currentScript" src="https://malicious.example.com"> ``` it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an <img> element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements (e.g., name="currentScript") become properties on the global document object. ## Impact An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. ## Fix https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3 The issue was resolved by verifying that document.currentScript is an instance of HTMLScriptElement. If not, the script now fa...

### Summary eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys. ### Details ```go func fileUploadHandler(w http.ResponseWriter, r *http.Request) { switch r.Method { // Upload or overwrite a file case http.MethodPost: switch r.Header.Get("Content-Type") { case "application/json": fc := &fileContent{} defer r.Body.Close() err := json.NewDecoder(r.Body).Decode(fc) if err != nil { handleError(w, err, "Invalid body: Error decoding file json", logger) return } err = fc.Validate() if err != nil { handleError(w, err, "Invalid body: missing necessary field", logger) return } filePath := filepath.Join(uploadDir, fc.Name) err = upload(fc) ``` - The fc.Name parameter do not safely filtered. ### PoC ``` POST /co...

User claims to sell stolen Verizon and T-Mobile data for millions of users (online Verizon says data is old T-Mobile denies any breach and links to it.

### Summary A command injection vulnerability exists in the `git-mcp-server` MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). ### Details The MCP Server exposes tools (`git_add`, `git_init`, `git_logs`, etcc) to perform several git operations. An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. Below some example of vulnerable code and different ways to test this vulnerability including a real example of indirect prompt injection that can lead to arbitrary command injection...

### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).

string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.

electron's ASAR Integrity can be bypass by modifying the content. ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are unimpacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `30.0.5` * `31.0.0-beta.1` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

## Summary ## All user accounts authenticate towards a *File Browser* instance with a password. A missing password policy and brute-force protection makes it impossible for administrators to properly secure the authentication process. ## Impact ## Attackers can mount a brute-force attack against the passwords of all accounts of an instance. Since the application is lacking the ability to prevent users from choosing a weak password, the attack is likely to succeed. ## Vulnerability Description ## The application implement a classical authentication scheme using a username and password combination. While employed by many systems, this scheme is quite error-prone and a common cause for vulnerabilities. File Browser's implementation has multiple weak points: 1. Since the application is missing the capability for administrators to define a password policy, users are at liberty to set trivial and well-known passwords such as `secret` or even ones with only single digit like `1`. 2. New...

## Summary ## Files managed by the *File Browser* can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible. ## Impact ## File owners might rest in the assumption that their shared files are only accessible to persons knowing the defined password, giving them a false sense of security. Meanwhile, attackers gaining access to the unprotected link can use this information alone to download the possibly sensitive file. ## Vulnerability Description ## When sharing a file, the user is presented with a dialog asking for an optional password to protect the file share. The assumption of the user at this point would be, that the shared file won't be accessible without knowledge of the password. After clicking on `SHARE` the following dialog opens allowing the file's owner to copy the share-link: ![image](https://github.com/user-attachments...

## Summary URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The *Filebrowser* violates this practice, since access tokens are used as GET parameters. ## Impact The *JSON Web Token (JWT)* which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give the attacker full access to the user's account and, in consequence, to all sensitive files the user has access to. ## Description Sensitive information in URLs is logged by several components (see the following examples), even if access is protected by TLS. * The browser history * The access logs on the affected web server * Proxy servers or reverse proxy servers * Third-party servers via the HTTP referrer header In case attackers can access certain logs, they could read the included sensitive data. ## Proof of Concept ## When a file ...