Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,785
Total Advisories
1,792
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
Strapi may leak sensitive user information, user reset password, tokens via content-manager views
GHSA-v8gg-4mq2-88q4 CVE-2023-36472 MODERATE about 2 years ago
### Summary
I can get access to user reset password tokens if I have the configure view permissions
 if they are passed incorrectly (with ...
npm
24
Dependabot PRs
12%
Merged
Command Injection Vulnerability in find-exec
GHSA-95rp-6gqp-6622 CVE-2023-40582 CRITICAL over 2 years ago
Older versions of the package are vulnerable to Command Injection as an attacker controlled parameter. As a result, attackers may run malicious com...
npm
No PRs yet
Username enumeration attack in goauthentik
GHSA-vmf9-6pcv-xr87 CVE-2023-39522 MODERATE over 2 years ago
## Summary
Using a recovery flow with an identification stage an attacker is able to determine if a username exists.
## Impact
Only setups configu...
npm
No PRs yet
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
GHSA-hpx4-r86g-5jrg CVE-2023-26364 MODERATE over 2 years ago
### Impact
@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of s...
npm
224
Dependabot PRs
14%
Merged
MathJax Regular expression Denial of Service (ReDoS)
GHSA-v638-q856-grg8 CVE-2023-39663 HIGH over 2 years ago
Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pa...
npm
No PRs yet
MongoDB Driver may publish events containing authentication-related data
GHSA-vxvm-qww3-2fh7 CVE-2021-32050 MODERATE over 2 years ago
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The ...
npm
packagist
No PRs yet
Cleartext Signed Message Signature Spoofing in openpgp
GHSA-ch3c-v47x-4pgp CVE-2023-41037 MODERATE over 2 years ago
### Impact
OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools:
```
--...
npm
10
Dependabot PRs
20%
Merged
@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content
GHSA-3x59-vrmc-5mx6 CVE-2023-41167 MODERATE over 2 years ago
## Overview
`@webiny/react-rich-text-renderer` is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. The `@w...
npm
No PRs yet
Minimal `basti` IAM Policy Allows Shell Access
GHSA-q4pp-j36h-3gqg LOW over 2 years ago
### Summary
The provided Minimal IAM Policy for `bastic connect` does not include `ssm:SessionDocumentAccessCheck`. This results in the ability to...
npm
No PRs yet
webui-aria2 Path Traversal vulnerability
GHSA-crv8-r5wq-gv2w CVE-2023-39141 HIGH over 2 years ago
webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability.
npm
No PRs yet
Shescape on Windows escaping may be bypassed in threaded context
GHSA-j55r-787p-m549 CVE-2023-40185 HIGH over 2 years ago
### Impact
This may impact users that use Shescape on Windows in a threaded context (e.g. using [Worker threads](https://nodejs.org/api/worker_thr...
npm
No PRs yet
@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
GHSA-vx8m-6fhw-pccw CVE-2023-40178 MODERATE over 2 years ago
### Summary
The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past th...
npm
7
Dependabot PRs
14%
Merged
tree-kit Prototype Pollution vulnerability
GHSA-5p42-m6f3-hpmj CVE-2023-38894 CRITICAL over 2 years ago
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.
npm
No PRs yet
@excalidraw/excalidraw Cross-site Scripting vulnerability
GHSA-v7v8-gjv7-ffmr CVE-2023-26140 MODERATE over 2 years ago
### Impact
XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm pac...
npm
No PRs yet
Ghost vulnerable to arbitrary file read via symlinks in content import
GHSA-9c9v-w225-v5rg CVE-2023-40028 MODERATE over 2 years ago
### Impact
A vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary f...
npm
No PRs yet
When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible
GHSA-9cvc-v7wm-992c CVE-2023-40027 MODERATE over 2 years ago
### Summary
When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible, that is to say, no session is required ...
npm
No PRs yet
external-svg-loader Cross-site Scripting vulnerability
GHSA-xc2r-jf2x-gjr8 CVE-2023-40013 CRITICAL over 2 years ago
### Summary
According to the [docs](https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript), svg-loader will strip all JS code bef...
npm
No PRs yet
Svelecte item names vulnerable to execution of arbitrary JavaScript
GHSA-7h45-grc5-89wq CVE-2023-38687 MODERATE over 2 years ago
### Summary
Svelecte item names are rendered as raw HTML with no escaping. This allows the injection of arbitrary HTML into the Svelecte dropdown....
npm
No PRs yet
OpenZeppelin Contracts vulnerable to Improper Escaping of Output
GHSA-g4vp-m682-qqmp CVE-2023-40014 MODERATE over 2 years ago
### Impact
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contra...
npm
92
Dependabot PRs
7%
Merged
Critters Cross-site Scripting Vulnerability
GHSA-cx3j-qqxj-9597 CVE-2023-3481 MODERATE over 2 years ago
### Impact
Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential [cross-site scripting (XSS)](https://owasp...
npm
No PRs yet
Margox Braft-Editor Cross-site Scripting Vulnerability
GHSA-jfrf-vv54-j2jg CVE-2021-27524 MODERATE over 2 years ago
Cross Site Scripting (XSS) vulnerability in margox braft-editor version 2.3.8, allows remote attackers to execute arbitrary code via the embed medi...
npm
No PRs yet
MrSwitch hello.js vulnerable to prototype pollution
GHSA-g3vf-47fv-8f3c CVE-2021-26505 CRITICAL over 2 years ago
A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via `hello.utils...
npm
No PRs yet
SUCHMOKUO node-worker-threads-pool denial of service Vulnerability
GHSA-7vxc-q7rv-qfj8 CVE-2021-29057 MODERATE over 2 years ago
An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3 that allows attackers to cause a denial of service.
This...
npm
No PRs yet
Unsanitized user controlled input in module generation
GHSA-f8pq-3926-8gx5 HIGH over 2 years ago
## Impact
The `import-in-the-middle` loader used by `@opentelemetry/instrumentation` works by generating a wrapper module on the fly. The wrapper ...
npm
No PRs yet
SES's dynamic import and spread operator provides possible path to arbitrary exfiltration and execution
GHSA-9c4h-3f7h-322r CVE-2023-39532 CRITICAL over 2 years ago
### Impact
This is a hole in the confinement of guest applications under SES that may manifest as either the ability to exfiltrate information or ...
npm
No PRs yet
Angular critical CSS inlining Cross-site Scripting Vulnerability Advisory
GHSA-r3hf-q8q7-fv2p HIGH over 2 years ago
### Impact
Angular Universal applications on 16.1.0 and 16.1.1 using critical CSS inlining are vulnerable to a [cross-site scripting (XSS)](https:/...
npm
No PRs yet
import-in-the-middle has unsanitized user controlled input in module generation
GHSA-5r27-rw8r-7967 CVE-2023-38704 HIGH over 2 years ago
### Impact
The `import-in-the-middle` loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the ori...
npm
5
Dependabot PRs
40%
Merged
matrix-appservice-irc IRC command injection via admin commands containing newlines
GHSA-3pmj-jqqp-2mj3 CVE-2023-38690 MODERATE over 2 years ago
### Impact
It is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands...
npm
No PRs yet
matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
GHSA-vc7j-h8xg-fv5x CVE-2023-38691 MODERATE over 2 years ago
### Impact
A malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the...
npm
No PRs yet
matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms
GHSA-c7hh-3v6c-fj4q CVE-2023-38700 LOW over 2 years ago
### Impact
It was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required kno...
npm
No PRs yet
Soketi was exposed to Sandbox Escape vulnerability via vm2
GHSA-g6w6-h933-4rc5 CRITICAL over 2 years ago
### Impact
_What kind of vulnerability is it? Who is impacted?_
Anyone who might have used Soketi with the `cluster` driver (or through PM2).
### ...
npm
No PRs yet
Cloudflare Wrangler directory traversal vulnerability
GHSA-8c93-4hch-xgxp CVE-2023-3348 MODERATE over 2 years ago
### Impact
The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running...
npm
No PRs yet
.eth registrar controller can shorten the duration of registered names
GHSA-rrxv-q8m4-wch3 CVE-2023-38698 MODERATE over 2 years ago
### Description
According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they...
npm
No PRs yet
pnpm incorrectly parses tar archives relative to specification
GHSA-5r98-f33j-g8h7 CVE-2023-37478 HIGH over 2 years ago
### Summary
It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is ma...
npm
4
Dependabot PRs
@simonsmith/cypress-image-snapshothas fix for insecure snapshot file names
GHSA-vxjg-hchx-cc4g CVE-2023-38695 MODERATE over 2 years ago
### Impact
It's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine ...
npm
No PRs yet
underscore-keypath vulnerable to Prototype Pollution
GHSA-gpvc-mx6g-cchv CVE-2023-26139 HIGH over 2 years ago
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the `setProperty()` function....
npm
No PRs yet
Anyone with a share link can RESET all website data in Umami
GHSA-8www-cffh-4q98 CRITICAL over 2 years ago
### Summary
Anyone with a share link (permissions to view) can reset the website data.
### Details
When a user navigates to a `/share/` URL, he re...
npm
No PRs yet
Unsafe plugins can be installed via pack import by tenant admins
GHSA-wxf3-4fvj-vqqx HIGH over 2 years ago
### Summary
Unsafe plugins (for instance `sql-list`) can be installed in subdomain tenants via pack import even if unsafe plugin installation for t...
npm
No PRs yet
DoS vulnerability for apps with sockets enabled
GHSA-gpw9-fwm8-7rx7 CVE-2023-38504 HIGH over 2 years ago
### Impact
In Sails apps <=v1.5.6, an attacker can send a virtual request that will cause the node process to crash.
### Patches
This behavior wa...
npm
No PRs yet
Incorrect Permission Checking for GraphQL Subscriptions
GHSA-gggm-66rh-pp98 CVE-2023-38503 MODERATE over 2 years ago
### Summary
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Access to information you should not have access to when the permi...
npm
No PRs yet
Unintentional leakage of private information via cross-origin websocket session hijacking
GHSA-4qcv-qf38-5j3j CVE-2023-2850 MODERATE over 2 years ago
### Impact
Private messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb.
### Patches
* Pa...
npm
No PRs yet
Leaking sensitive user information still possible by filtering on private with prefix fields
GHSA-9xg4-3qfm-9w8f CVE-2023-34235 HIGH over 2 years ago
### Summary
Still able to leak private fields if using the t(number) prefix
### Details
Knex query allows you to change there default prefix
```...
npm
No PRs yet