#js

A security weakness has been disclosed in the artificial intelligence (AI)-powered code editor Cursor that could trigger code execution when a maliciously crafted repository is opened using the program. The issue stems from the fact that an out-of-the-box security setting is disabled by default, opening the door for attackers to run arbitrary code on users' computers with their privileges. "

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed.

## Summary When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. ## Details The Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob. Relevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adap...

### Impact Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file. ### Patches We unpublished the version on npm. ### Workarounds This has already been unpublished. See Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 ASAP to avoid similar attacks in the future. ### References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

### Impact NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. ### Patches 10.10.0 is solved ### References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm install -g interactive-git-checkout`. Resources: * Project's npm package: https://www.npmjs.com/package/interactive-git-checkout ## Command Injection Vulnerability The `interactive-git-checkout` tool is vulnerable to a command injection vulnerability because it passes the branch name to the `git checkout` command using the Node.js child process module's `exec()` function without proper input validation or sanitization. The following vulnerable code snippets demonstrates the issue: ```js const { exec: execCb } = require('child_process'); const { promisify } = require('util'); const exec = promisify(execCb); module.exports = async (targetBranch) => { const { stdout, stderr } = await exec(`git checkout ${targetBranch}`); process.st...

### Summary It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. ### Details The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: 1. Insufficient Input Validation in [middleware.go line 94-96](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93): ``` func (this *Middleware) SetBinary(binary string) error { this.Binary = binary // No validation of binary parameter here return nil } ``` 2. Unsafe Command Execution in [local_middleware.go line 14-19](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13): ``` var middlewareCommand *exec.Cmd if this.Script == nil { middlewareCommand = exec.Command(this.Binary) // User-controlled b...

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter `requestURL` (derived from the original request target) is directly embedded into an inline `<script>` block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which wabac.js is used. ### Patches The vulnerability is fixed in wabac.js v2.23.11.