#nodejs

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation Vendor: Siemens Equipment: SINEC INS Vulnerabilities: Improper Authentication, Out-of-bounds Write, Inefficient Regular Expression Complexity, Excessive Iteration, Reachable Assertion, Uncontrolled Resource Consumption, Improper Input Validation, Improper Check for Unusual or Exceptional Conditions, Memory Allocation with Excessive Size Value, Heap-based Buffer Overflow, Missing Encryption of Sensitive Data, Path Traversal, Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthori...

Companies and organizations need to recognize the importance of investing in engineers who possess both the soft and hard skills required to secure open source software effectively.

A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber. "This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available

Fixes security vulnerability that allowed for server side code to be executed by a <script> tag ### Impact Consumers of the NPM package `happy-dom` ### Patches The security vulnerability has been patched in v15.10.1 ### Workarounds No easy workarounds to my knowledge ### References [#1585](https://github.com/capricorn86/happy-dom/issues/1585)

An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware. The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few

IBM Security Verify Access versions prior to 10.0.8 suffer from authentication bypass, reuse of private keys, local privilege escalation, weak settings, outdated libraries, missing password, hardcoded secrets, remote code execution, missing authentication, null pointer dereference, and lack of privilege separation vulnerabilities.

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library. "On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a

Red Hat Security Advisory 2024-8546-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.5 General Availability release images, which fix bugs and update container images.

Red Hat Security Advisory 2024-8533-03 - Multicluster Engine for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images.

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.