Security
Headlines
HeadlinesLatestCVEs

Tag

#nodejs

GHSA-9hfw-cvf4-5x25: wanEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function

There is a cross-site scripting (XSS) issue in wanEditor via the image upload function in version 4.7.11. This issue has been fixed in version 4.7.12.

ghsa
Open in Source
#xss#vulnerability#nodejs#git
Red Hat Security Advisory 2024-3472-03

Red Hat Security Advisory 2024-3472-03 - An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Issues addressed include a denial of service vulnerability.

GHSA-xgwh-cgv9-783v: Ghost allows CSV Injection during member CSV export

Ghost before 5.82.0 allows CSV Injection during a member CSV export.

GHSA-pj27-2xvp-4qxg: @fastify/session reuses destroyed session cookie

### Impact When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. ### Patches Updating to v10.9.0 will solve this. ### Workarounds None ### References Publicly reported at: https://github.com/fastify/session/issues/251

Red Hat Security Advisory 2024-2937-03

Red Hat Security Advisory 2024-2937-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

GHSA-5f97-h2c2-826q: json-schema-ref-parser Prototype Pollution issue

A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the `bundle()`, `parse()`, `resolve()`, `dereference()` functions.

GHSA-g3q2-vcjq-rgrc: Blackprint @blackprint/engine Prototype Pollution issue

A Prototype Pollution issue in Blackprint @blackprint/engine 0.8.12 through 0.9.1 allows an attacker to execute arbitrary code via the `_utils.setDeepProperty` function of `engine.min.js`.

Red Hat Security Advisory 2024-2910-03

Red Hat Security Advisory 2024-2910-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP request smuggling, denial of service, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2024-2853-03

Red Hat Security Advisory 2024-2853-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP request smuggling, denial of service, and out of bounds read vulnerabilities.

GHSA-xcp4-62vj-cq3r: @valtimo/components exposes access token to form.io

### Impact When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component. ### Attack requirements ### The following conditions have to be met in order to perform this attack: - An attacker needs to have access to the network traffic on the `api.form.io` domain. - The content of the `x-jwt-token` header is logged or otherwise available to the attacker. - An attacker needs to have network access to the Valtimo API. - An attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes. ### Patches Versions 10.8.4, 11.1.6 and 11.2.2 have been patched