Tag
#nodejs
Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain attack. "This attack stands out due to the high variability across packages," Phylum said in an analysis published last week. "The attacker has cleverly hidden the malware in the seldom-used 'end' function of
### Impact When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. ### Reproduction 1. Create a user using a SSO provider `[email protected]`. 2. Try to log-in using the regular login form (or the API) 3. When using a valid email address | **APP** | **API** | | --- | --- | |  |  | 4. When using an invalid email address | **APP** | **API** | | --- | --- | |  | . You can learn more about SSRF attacks via [CWE-918](https://cwe.mitre.org/data/definitions/918.html) ### Details When Fedify makes a request at runtime via the DocLoader [1] [2], the `fetch` API does not first check the URI's to assert that it resolve to a public IP address. Additionally, any downstream software of Fedify that may fetch data from URIs co...
### Impact The fix for GHSA-wm4w-7h2q-3pf7 / [CVE-2024-32000](https://www.cve.org/CVERecord?id=CVE-2024-32000) included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event they're replying to when determining whether or not to include a truncated version of the original event in the IRC message. Since this value is controlled by external entities, a malicious Matrix homeserver joined to a room in which a matrix-appservice-irc bridge instance (before version 2.0.1) is present can fabricate the timestamp with the intent of tricking the bridge into leaking room messages the homeserver should not have access to. ### Patches matrix-appservice-irc 2.0.1 [drops the reliance](https://github.com/matrix-org/matrix-appservice-irc/pull/1804) on `origin_server_ts` when determining whether or not an event should be visible to a user, instead tracking the event timestamps internally. ### Workarounds It's possible t...
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to detect SQL injection has been improved. ### Workarounds None. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r - https://github.com/parse-community/parse-server/pull/9167 (fix for Parse Server 7) - https://github.com/parse-community/parse-server/pull/9168 (fix for Parse Server 6) ### Credits - Smile Thanapattheerakul of Trend Micro (finder) - Manuel Trezza (coordinator)
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server. "The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware code to run solely in memory and avoid disk-based detection mechanisms," Trend Micro researchers Ahmed