#js

# Microsoft Security Advisory CVE-2025-30399 | .NET Remote Code Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by placing files in particular locations, leading to unintended code execution. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/116495 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.16 or earlier. * Any .NET 9.0 application running on .NET 9.0.5 or earlier. ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any M...

Given this Hurl file: regex.hurl: ``` GET https://foo.com HTTP 200 [Asserts] jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/ ``` When exported to HTML: ``` $ hurlfmt --out html regex.hurl <pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span> </span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span> <span class="line"><span class="section-header">[Asserts]</span></span> <span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span> </span></span><span class="line"></span> </code></pre> ``` The regex literal `/<img src="" onerror="alert('Hi!')">/` is not escaped: `<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span...

A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.

A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.

A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

### Summary The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ function later passes this input into ’proc_open’, yielding OS command injection. ### Details The vulnerability exists in the logic of the ’gitImportSite’ function, located in ’Operations.php’. The current implementation only relies on the ’filter_var’ and 'strpos' functions to validate the URL, which is not sufficient to ensure absence of all Bash special characters used for command injection.  #### Affected Resources • Operations.php:2103 gitImportSite() • \<domain\>/\<user\>/system/api/gitImportSite ### PoC To replicate this vulnerability, authenticate and send a POST request to the 'gitImportSite' endpoint with a crafted URL in the JSON data. Note, a valid token needs to be obtained by capturing a request to another API endpoint (such as '...

### Summary In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. ### Affected Resources - [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) - `https://<site>/<user>/system/api/saveNode` ### PoC 1. Set the URL in an iframe pointing to an attacker-controlled server running Responder  2. Once another user visits the site, they are prompted to sign in.  3. If a user inputs credentials, the username and password hash are outputted in Responder.  ### Impact An au...

### Summary An authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). ### Details The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS like in[ HAXCMSSite.php line 1248](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php#L1248) to resolve and load the content for a given node. I...

### Summary The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a 'script' tag, it does allow the use of other HTML tags to run JavaScript. ### Affected Resources - [Operations.php:258](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L258) `saveManifest()` - [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) `saveNode()` - `https://<site>/<user>/system/api/saveNode` - `https://<site>/<user>/system/api/saveManifest` ### Impact An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the sit...