#nodejs

The ABB Cylon FLXeon BACnet controller is vulnerable to a path traversal flaw in its capture.js endpoint due to unsanitized user input being directly concatenated into a filesystem path. An attacker can exploit this by supplying crafted file names to access arbitrary files outside the intended var/ directory. Additionally, the use of Fs.unlinkSync() after serving the file introduces a destructive impact, allowing attackers to delete system or application files.

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated file traversal via the /api/siteGuide endpoint. An attacker with valid credentials can manipulate the filename parameter to move and access or overwrite arbitrary files. The issue arises due to improper input validation in siteGuide.js, where user-supplied data is not properly sanitized, allowing directory traversal attacks.

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/siteGuide endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the filename and/or originalname parameters. The issue arises due to improper input validation in siteGuide.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one.

In this week’s newsletter, Thor inspects the LockBit leak, finding $10,000 “security tips,” ransom negotiations gone wrong and a rare glimpse into the human side of cybercrime.

### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. ### Patches This has been patched in https://github.com/nodejs/undici/pull/4088. ### Workarounds If a webhook fails, avoid keep calling it repeatedly. ### References Reported as: https://github.com/nodejs/undici/issues/3895

Cybersecurity researchers have discovered a malicious package named "os-info-checker-es6" that disguises itself as an operating system information utility to stealthily drop a next-stage payload onto compromised systems. "This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings.

Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's

### Overview This vulnerability allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. ### Am I Affected? You are affected by this SAML Attribute Smuggling vulnerability if you are using `passport-wsfed-saml2` version 4.6.3 or below, specifically under the following conditions: 1. The service provider is using `passport-wsfed-saml2`, 2. A valid SAML Response signed by the Identity Provider can be obtained ### Fix Upgrade to v4.6.4 or greater.