#js

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: ABB Equipment: RMC-100 Vulnerabilities: Use of Hard-coded Cryptographic Key, Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain unauthenticated access to the MQTT configuration data, cause a denial-of-service condition on the MQTT configuration web server (REST interface), or decrypt encrypted MQTT broker credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ABB reports the following versions of RMC-100 with the REST interface are affected. The vulnerabilities are only present when the REST interface is enabled. This interface is disabled by default: RMC-100: 2105457-043 through 2105457-045 RMC-100 LITE: 2106229-015 through 2106229-016 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321 When the REST interface is enabled by the user, and an attacker gains access to the source code...

### Summary Using a CDN that caches (`/**/*.png`, `/**/*.json`, `/**/*.css`, etc...) requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users. ### Details The vulnerability occurs in the request processing logic where path sanitization is insufficient. The library splits the path using `config.basePath` but doesn't properly validate the remaining path components. This allows specially crafted requests that appear to be static assets (like `/api/auth/get-session/api/auth/image.png` assuming `config.basePath`=`/api/auth`) to bypass typical CDN cache exclusion rules while actually returning sensitive data. The problematic code [here](https://github.com/Bekacru/better-call/blob/8b6f13e24fad7f4666a582601517bb3232d4f4af/src/router.ts#L124): ```js const processRequest = async (request: Request) => { const url = new URL(request.url); const path = config?.basePath ? url.pathname.spl...

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

## Summary The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. ## Details ### 1. Sandbox Escape Leading to XSS The expression evaluator's sandbox can be bypassed to execute arbitrary JavaScript code. Attackers can obtain the Function constructor through indirect methods: ```javascript // Attack vector 1: Using Object.getOwnPropertyDescriptor { ((f, g) => f(g(Object), "constructor").value)(Object.getOwnPropertyDescriptor, Object.getPrototypeOf)("alert(location)")() } // Attack vector 2: Using object property access { { f: Object.getOwnPropertyDescriptor }.f({ g: Object.getPrototypeOf }.g(Object), "constructor").value("alert(location)")() } ``` Both payloads bypass the sandbox restrictions and execute `Function("alert(location)")()`. ### 2. Prototype Pollution The expression evaluator allows access to prototype accessor methods which can be exploited with Object.assign ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: KUNBUS Equipment: RevPi Webstatus Vulnerability: Incorrect Implementation of Authentication Algorithm 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to bypass authentication and gain unauthorized access to the application. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS KUNBUS reports the following products are affected: Revolution Pi Webstatus: Version 2.4.5 and prior Revolution Pi OS Bullseye: 04/2024 Revolution Pi OS Bullseye: 09/2023 Revolution Pi OS Bullseye: 07/2023 Revolution Pi OS Bullseye: 06/2023 Revolution Pi OS Bullseye: 02/2024 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT IMPLEMENTATION OF AUTHENTICATION ALGORITHM CWE-303 The Revolution Pi Webstatus application is vulnerable to an authentication bypass. The password check is vulnerable to an implicit type conversion. This results in incorrect authentication if the JSON value TRUE is prov...

## GitHub Personal Access Token Exposure in docusaurus-plugin-content-gists ### Summary docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. ### Affected Versions - All versions < 4.0.0 ### Patched Versions - Version 4.0.0 and later ### Impact When using the affected versions with the recommended configuration pattern: ```javascript plugins: [ [ 'docusaurus-plugin-content-gists', { personalAccessToken: process.env.GITHUB_PERSONAL_ACCESS_TOKEN, }, ], ] ``` The GitHub Personal Access Token is included in the webpack bundle and exposed in production builds at: - `/build/assets/js/main.[hash].js` This allows malicious actors to: - Extract ...

### Summary Possibility to craft a request that will crash the Qwik Server in the default configuration. ### Details When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. ### PoC 1. Setup a Qwik Project `pnpm create qwik@latest` 2. Start the Qwik Server using `pnpm run preview` 3. Execute the following curl command to crash the instance ```bash curl --location 'http://localhost:4173/?qfunc=PPXYallGsCE' \ --header 'Content-Type: application/qwik-json' \ --header 'X-Qrl: PPXYallGsCE' \ --data '{"_entry":"2","_objs":["\u0002_#s_PPXYallGsCE",1,["0","1"]]}' ``` Here the `qfunc` query parameter, `X-Qrl` header and payload need to have the same qrl. The Qwik Server will then crash with the message ``` qrl s_PPXYallGsCE failed to load Error: Dynamic require of "_.js" is not supported at file:///home/michele/Code/qwik/server/en...

### Impact Applications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. ### Patches * `@clerk/backend`: the helper has been patched as of `2.4.0` * `@clerk/astro`: the helper has been patched as of `2.10.2` * `@clerk/express`: the helper has been patched as of `1.7.4` * `@clerk/fastify`: the helper has been patched as of `2.4.4` * `@clerk/nextjs`: the helper has been patched as of `6.23.3` * `@clerk/nuxt`: the helper has been patched as of `1.7.5` * `@clerk/react-router`: the helper has been patched as of `1.6.4` * `@clerk/remix`: the helper has been patched as of `4.8.5` * `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3` ### Resolution The issue was resolved in **`@clerk/backend` `2.4.0`** by: * Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event ### Workarounds If unable to upgrade, developers ...

### Impact Any user with a Juju account on a controller can read debug log messages from the `/log` endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information. ### Details The `/log` endpoint is accessible at the following endpoints: - `wss://<controller-ip>/log` - `wss://<controller-ip>/model/<model-uuid>/log` In order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them. To reproduce: ``` juju bootstrap juju add-user testuser juju change-user-password testuser ``` Run the [wscat](https://github.com/websockets/wscat) command below to connect to `wss://<controller-ip>:17070/api`. Update the JSON payload to include the username and password that were...