MODERATE

[jszip] Prototype Pollution

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
References

https://nvd.nist.gov/vuln/detail/…

[org.elasticsearch:elasticsearch] Denial of Service in Elasticsearch

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsear…

[@eivifj/dot] Improperly Controlled Modification of Dynamically-Determined Object Attributes in eivindfjeldstad-dot

eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function ‘set’ could be tricked into adding or modifying properties of ‘Object.prototype’ using a ‘proto’ payload.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-7639
https…

[@shopify/koa-shopify-auth] Cross-site scripting in koa-shopify-auth

A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the shop parameter on the /shopify/auth/enable_cookies endpoint.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-81…

[joplin] Cross-site Scripting in Joplin

An XSS issue in Joplin desktop allows arbitrary code execution via a malicious HTML embed tag.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-15930
https://github.com/laurent22/joplin/issues/3552
https://github.com/laurent22/joplin/releases/tag/…

[primefaces] Cross-site Scripting in PrimeFaces

An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFaces 7.0.11. In a web application using PrimeFaces, an attacker can provide JavaScript code in an input field whose data is later used as a tooltip title without any input validation.
…

[google-closure-library] Improper Input Validation in Google Closure Library

A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation — update your library to version v202…

[devise_invitable] Cross-Site Request Forgery (CSRF)

Withdrawn
Affected versions of the package are vulnerable to Cross-Site Request Forgery (CSRF) attacks.
References

https://github.com/scambra/devise_invitable/issues/457
https://github.com/scambra/devise_invitable/commit/d1bb19efca8e35885e1c2f0931d617…

[dojo] Cross-Site Scripting in dojo

Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim’s browser.
Recommendation
Upgrade to versio…

[com.google.guava:guava] Denial of Service in Google Guava

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray c…

トピトピニュース

Featured

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

[org.postgresql:postgresql] TemporaryFolder on unix-like systems does not limit access to created files

[com.h2database:h2] Password exposure in H2 Database