#js

### Summary While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on. ### Details WhoDB allows users to connect to Sqlite3 databases. By default, the databases must be present in `/db/` (or alternatively `./tmp/` if development mode is enabled). Source: https://github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go#L14-L20 If no databases are present in the default directory, the UI indicates that the user is unable to open any databases:  The database file is an user-controlled value. This value is used in `.Join()` with the default directory, in order to get the full path of the database file to open. Source: https://github.co...

### Summary An unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the `javascript:` protocol scheme in the URL. ### Details The parsing logic implement at [https://github.com/nuxt-modules/mdc/blob/main/src/runtime/parser/utils/props.ts#L16](https://github.com/nuxt-modules/mdc/blob/main/src/runtime/parser/utils/props.ts#L16) maintains a deny-list approach to filtering potential malicious payload. It does so by matching protocol schemes like `javascript:` and others. Specifically, this is the code from the mdc library's parser that is not secure enough: ```js export const unsafeLinkPrefix = [ 'javascript:', 'data:text/html', 'vbscript:', 'data:text/javascript', 'data:text/vbscript', 'data:text/css', 'data:text/plain', 'data:text/xml' ] export const validateProp = (attribute: string, value: string) => { if (attribute.startsWith('on')) { return false } if (attribute === 'href' || ...

UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails…

A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.

A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

### Summary While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context. ### Details While posting a file via postLocal, any attacker will add javascript codes to file parameter. That parameter content pass to componentSignature method after some validation. After that componentSignature parameter concat with ssrStr parameter. <img width="1145" alt="image" src="https://github.com/user-attachments/assets/a08a3fe5-2fbd-4a05-b93c-2ad127e6ee81" /> Last part of compileSvelte function ssrStr parameter executed in v8go engine. <img width="754" alt="image" src="https://github.com/user-attachments/assets/4e622761-3324-48d6-8264-6dd6e09055af" /> This cause to any one who can post a file also can push javascript code and run it. Thanks to v8go we can't use all javascript metod, if there is no any vulnerability in v8go we can't escape sandbox and can't run dangerous command like opening socket etc. But we can create infinite loop ...

**Product:** Mobile Security Framework (MobSF) **Version:** 4.3.0 **CWE-ID:** CWE-269: Improper Privilege Management **CVSS vector v.4.0:** 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N) **CVSS vector v.3.1:** 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) **Description:** MobSF has a functionality of dividing users by roles. This functionality is not efficient, because any registered user can get API Token with all privileges. **Impact:** Information Disclosure **Vulnerable component:** Code output component (`/source_code`) **Exploitation conditions:** authorized user **Mitigation:** Remove token output in the returned js-script **Researcher:** Egor Filatov (Positive Technologies) ## Research Researcher discovered zero-day vulnerability «Local Privilege Escalation» in Mobile Security Framework (MobSF). To reproduce the vulnerability follow the steps below. • A user with minimal privileges is required, so the administrator must create a user account <img width="215" al...

### Summary Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. ### Details When [`api` option](https://vitest.dev/config/#api) is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46 This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76 ### PoC 1. Open Vitest UI. 2. Access a malicious ...

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/users/password endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the newPassword PUT parameter. The issue arises in users.js, where the new password is hashed and improperly escaped before being passed to ChildProcess.exec() within a usermod command, allowing out of band (blind) command injection.

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations. This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10. This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11. Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.