Tag
#nodejs
Red Hat Security Advisory 2024-1688-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, denial of service, privilege escalation, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1687-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, denial of service, privilege escalation, and traversal vulnerabilities.
A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function `registerReceiver` of the file `android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt`. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.
By Deeba Ahmed New Byakugan Malware Steals Data, Grants Remote Access & Uses OBS Studio to Spy! Fortinet reveals a phishing campaign distributing Byakugan malware disguised as a PDF. Don't click! Learn how to stay safe. This is a post from HackRead.com Read the original post: Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF
Red Hat Security Advisory 2024-1678-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.
### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered. ### Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds Ensure that `integrity` cannot be tampered with. ### References https://hackerone.com/reports/2377760
### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3
Red Hat Security Advisory 2024-1503-03 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and privilege escalation vulnerabilities.
By Waqas Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor… This is a post from HackRead.com Read the original post: Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)
### Impact Versions from 1.2.0 to 1.3.1 of Astro-Shield allow to bypass the allow-lists for cross-origin resources by introducing valid `integrity` attributes to the injected code. This implies that the injected SRI hash would be added to the generated CSP header, which would lead the browser to believe that the injected resource is legit. To exploit this vulnerability, the attacker needs to first inject code into the rendered pages by exploiting other not-related potential vulnerabilities. ### Patches Version [1.3.2](https://github.com/kindspells/astro-shield/releases/tag/1.3.2) provides a patch. ### Workarounds - To not use the middleware functionality of Astro-Shield. - To use the middleware functionality of Astro-Shield ONLY for content that cannot be controlled in any way by external users. ### References _Are there any links users can visit to find out more?_