Security
Headlines
HeadlinesLatestCVEs

Tag

#js

CVE-2023-30414: segmentation fault in jerryscript · Issue #5051 · jerryscript-project/jerryscript

Jerryscript commit 1a2c047 was discovered to contain a stack overflow via the component vm_loop at /jerry-core/vm/vm.c.

CVE
Open in Source
#ubuntu#linux#js#git
CVE-2023-30410: jerry crashed while running the following code. · Issue #5052 · jerryscript-project/jerryscript

Jerryscript commit 1a2c047 was discovered to contain a stack overflow via the component ecma_op_function_construct at /operations/ecma-function-object.c.

CVE-2023-30406: Segmentation fault in jerry · Issue #5058 · jerryscript-project/jerryscript

Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component ecma_find_named_property at /base/ecma-helpers.c.

CVE-2023-30408: Segmentation fault in jerry · Issue #5057 · jerryscript-project/jerryscript

Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component build/bin/jerry.

CVE-2023-30627: Release 10.8.10 · jellyfin/jellyfin-web

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds.

CVE-2023-27849: Vulnerability-Reports/report.md at 2211ea4712f24d20b7f223fb737910fdfb041edb · omnitaint/Vulnerability-Reports

rails-routes-to-json v1.0.0 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CVE-2023-27848: Vulnerability-Reports/report.md at 9d65add2bca71ed6d6b2e281ee6790a12504ff8e · omnitaint/Vulnerability-Reports

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CVE-2023-29566: GitHub - rona-dinihari/dawnsparks-node-tesseract: Forked from https://github.com/desmondmorris/node-tesseract/ to support tesseract v4.

huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CVE-2023-26494: lorawan-stack/index.js at ecdef730f176c02f7c9afce98b0457ae64de5bfc · TheThingsNetwork/lorawan-stack

lorawan-stack is an open source LoRaWAN network server. Prior to version 3.24.1, an open redirect exists on the login page of the lorawan stack server, allowing an attacker to supply a user controlled redirect upon sign in. This issue may allows malicious actors to phish users, as users assume they were redirected to the homepage on login. Version 3.24.1 contains a fix.

CVE-2023-26060: PT-2022-04: Cross Site Template Injection (CSTI)

An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.