Security
Headlines
HeadlinesLatestCVEs

Tag

#js

GHSA-jwq7-6j4r-2f92: Prebid.js NPM package briefly compromised

### Impact NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. ### Patches 10.10.0 is solved ### References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

ghsa
Open in Source
#vulnerability#web#nodejs#js#auth
Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts

Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads

GHSA-33vc-wfww-vjfv: jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

GHSA-4wcm-7hjf-6xw5: interactive-git-checkout has a Command Injection vulnerability

The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm install -g interactive-git-checkout`. Resources: * Project's npm package: https://www.npmjs.com/package/interactive-git-checkout ## Command Injection Vulnerability The `interactive-git-checkout` tool is vulnerable to a command injection vulnerability because it passes the branch name to the `git checkout` command using the Node.js child process module's `exec()` function without proper input validation or sanitization. The following vulnerable code snippets demonstrates the issue: ```js const { exec: execCb } = require('child_process'); const { promisify } = require('util'); const exec = promisify(execCb); module.exports = async (targetBranch) => { const { stdout, stderr } = await exec(`git checkout ${targetBranch}`); process.st...

GHSA-r4h8-hfp2-ggmf: Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation

### Summary It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. ### Details The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: 1. Insufficient Input Validation in [middleware.go line 94-96](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93): ``` func (this *Middleware) SetBinary(binary string) error { this.Binary = binary // No validation of binary parameter here return nil } ``` 2. Unsafe Command Execution in [local_middleware.go line 14-19](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13): ``` var middlewareCommand *exec.Cmd if this.Script == nil { middlewareCommand = exec.Command(this.Binary) // User-controlled b...

GHSA-w765-jm6w-4hhj: Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter `requestURL` (derived from the original request target) is directly embedded into an inline `<script>` block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which wabac.js is used. ### Patches The vulnerability is fixed in wabac.js v2.23.11.

Microsoft Fixes 80 Flaws — Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release. Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to

GHSA-6vm5-6jv9-rjpj: MONAI: Unsafe torch usage may lead to arbitrary code execution

### Summary In ```model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)``` in monai/bundle/scripts.py , ```weights_only=True``` is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints. This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from platforms like huggingface. Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution. The following proof-of-concept demonstrates the issues that arise when loading insecure checkpoints. ``` import os import tempfile import json import torch from pathlib import Path class MaliciousPayload: def __reduce__(self): return (os.system, ('touch /tmp/hacker2.txt',)) def test_checkpoint_loader_attack(): temp_dir = Path(tempfile.mkdtemp()) checkpoint_file = temp_dir / "m...

GHSA-x6ww-pf9m-m73m: MONAI does not prevent path traversal, potentially leading to arbitrary file writes

### Summary The extractall function ```zip_file.extractall(output_dir)``` is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. When reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file. ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo "malicious content" > test_bundle/malicious.txt root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd adding: malicious.txt (stored 0%) addi...

GHSA-g4jq-h2w9-997c: Vite middleware may serve files starting with the same name with the public directory

### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default) - a symlink exists in the public directory ### Details The [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge of serving public files from the server. It returns the [viteServePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L106) function which runs the needed tests and serves the page. The viteSer...