#js

### Summary import functions are vulnerable. * [importChatflows](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/chatflows/index.ts#L219) * [importTools](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/tools/index.ts#L85) * [importVariables](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/variables/index.ts) ### Details **Authenticated user** can call importChatflows API, import json file such as `AllChatflows.json`. but Due to insufficient validation to chatflow.id in importChatflows API, 2 issues arise. **Issue 1 (Bug Type)** 1. Malicious user creates `AllChatflows.json` file by adding `../` and arbitrary path to the chatflow.id of the json file. ```json { "Chatflows": [ { "id": "../../../../../../apikey", "name": "clickme", "flowData": "{}" } ] } ``` 2. Victim download this file, and import this to flowise. 3. When victim cli...

**Vulnerability type:** Prototype Pollution **Affected Package:** * Product: js-object-utilities * Version: 2.2.0 **Remedy:** Update package to version 2.2.1. **Vulnerability Location(s):** ```js at module.exports (/node_modules/js-object-utilities/dist/set.js:16:29) ``` **Description:** The latest version of `js-object-utilities (2.2.0)`, (previous versions are also affected), is vulnerable to Prototype Pollution through the entry function(s) `lib.set`. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's conte...

# Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System ## Disclaimer This vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports. ## Description A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. The vulnerability exists in the LNURL authentication callback process where the application makes HTTP requests to user-provided callback URLs and follows redirects without proper validation. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library ...

A vulnerability was identified in `tarteaucitron.js`, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as `javascript:alert()`. Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link. ## Impact An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to: - Execution of arbitrary JavaScript code - Theft of sensitive data through phishing attacks - Modification of the user interface behavior ## Fix https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02 The issue was resolved by enforcing strict URL validation, ensuring that they start with `http://` or `https://` before being used.

A vulnerability was identified in `tarteaucitron.js`, where the `addOrUpdate` function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data corruption or unintended code execution. ## Impact An attacker with high privileges could exploit this vulnerability to: - Modify object prototypes, affecting core JavaScript behavior, - Cause application crashes or unexpected behavior, - Potentially introduce further security vulnerabilities depending on the application's architecture. ## Fix https://github.com/AmauriC/tarteaucitron.js/commit/74c354c413ee3f82dff97a15a0a43942887c2b5b The issue was resolved by ensuring that user-controlled inputs cannot modify JavaScript object prototypes.

A vulnerability was identified in `tarteaucitron.js`, where user-controlled inputs for element dimensions (`width` and `height`) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like `100%;height:100%;position:fixed;`, potentially covering the entire viewport and facilitating clickjacking attacks. ## Impact An attacker with high privileges could exploit this vulnerability to: - Overlay malicious UI elements on top of legitimate content, - Trick users into interacting with hidden elements (clickjacking), - Disrupt the intended functionality and accessibility of the website. ## Fix https://github.com/AmauriC/tarteaucitron.js/commit/25fcf828aaa55306ddc09cfbac9a6f8f126e2d07 The issue was resolved by enforcing strict validation and sanitization of user-provided CSS values to prevent unintended UI manipulation.

### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.. ### Details #### `.svg` Requests ending with `.svg` are loaded at this line. https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 By adding `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header, the restriction was able to bypass. This bypass is only possible if the file is smaller than [`build.assetsInlineLimit`](https://vite.dev/config/build-options.html#build-assetsinlinelimit) (default: 4kB) and when using Vite 6.0+. #### relative paths The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. `../../`). ### PoC ```bash npm create vite@latest cd vite-project/ npm insta...

### Summary CWE-470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') when having Javers selected as Entity Audit Framework ### Details In the following two occurences, user input directly leads to class loading without checking against e.g. a whitelist of allowed classes. This is also known as CWE-470 https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88 https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L124 So, if an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote cod...

Versions of the package expand-object from 0.0.0 to 0.4.2 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.

Cybersecurity researchers at Jscamblers have uncovered a sophisticated web-skimming campaign targeting online retailers. The campaign utilizes a legacy…