Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,805

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
.eth registrar controller can shorten the duration of registered names
GHSA-rrxv-q8m4-wch3 CVE-2023-38698 MODERATE over 2 years ago
### Description According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they...
npm
No PRs yet
pnpm incorrectly parses tar archives relative to specification
GHSA-5r98-f33j-g8h7 CVE-2023-37478 HIGH over 2 years ago
### Summary It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is ma...
npm
4
Dependabot PRs
@simonsmith/cypress-image-snapshothas fix for insecure snapshot file names
GHSA-vxjg-hchx-cc4g CVE-2023-38695 MODERATE over 2 years ago
### Impact It's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine ...
npm
No PRs yet
underscore-keypath vulnerable to Prototype Pollution
GHSA-gpvc-mx6g-cchv CVE-2023-26139 HIGH over 2 years ago
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the `setProperty()` function....
npm
No PRs yet
Anyone with a share link can RESET all website data in Umami
GHSA-8www-cffh-4q98 CRITICAL over 2 years ago
### Summary Anyone with a share link (permissions to view) can reset the website data. ### Details When a user navigates to a `/share/` URL, he re...
npm
No PRs yet
Unsafe plugins can be installed via pack import by tenant admins
GHSA-wxf3-4fvj-vqqx HIGH over 2 years ago
### Summary Unsafe plugins (for instance `sql-list`) can be installed in subdomain tenants via pack import even if unsafe plugin installation for t...
npm
No PRs yet
DoS vulnerability for apps with sockets enabled
GHSA-gpw9-fwm8-7rx7 CVE-2023-38504 HIGH over 2 years ago
### Impact In Sails apps <=v1.5.6, an attacker can send a virtual request that will cause the node process to crash. ### Patches This behavior wa...
npm
No PRs yet
Incorrect Permission Checking for GraphQL Subscriptions
GHSA-gggm-66rh-pp98 CVE-2023-38503 MODERATE over 2 years ago
### Summary CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Access to information you should not have access to when the permi...
npm
No PRs yet
Unintentional leakage of private information via cross-origin websocket session hijacking
GHSA-4qcv-qf38-5j3j CVE-2023-2850 MODERATE over 2 years ago
### Impact Private messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb. ### Patches * Pa...
npm
No PRs yet
Leaking sensitive user information still possible by filtering on private with prefix fields
GHSA-9xg4-3qfm-9w8f CVE-2023-34235 HIGH over 2 years ago
### Summary Still able to leak private fields if using the t(number) prefix ### Details Knex query allows you to change there default prefix ```...
npm
No PRs yet
Making all attributes on a content-type public without noticing it
GHSA-chmr-rg2f-9jmf CVE-2023-34093 MODERATE over 2 years ago
### Summary Anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. ### Details When deal...
npm
No PRs yet
Path traversal and code execution via prototype vulnerability
GHSA-vh2g-6c4x-5hmp CVE-2023-26045 CRITICAL over 2 years ago
### Impact Due to the use of the [object destructuring assignment](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Dest...
npm
No PRs yet
Feathers socket handler allows abusing implicit toString
GHSA-hhr9-rh25-hvf9 CVE-2023-37899 HIGH over 2 years ago
### Impact Feathers socket handler did not catch invalid string conversion errors like: ```ts const message = `${{ toString: '' }}` ``` Causing ...
npm
No PRs yet
matrix-react-sdk vulnerable to XSS in Export Chat feature
GHSA-c9vx-2g7w-rp65 CVE-2023-37259 MODERATE over 2 years ago
### Description The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leadi...
npm
No PRs yet
Mongoose Prototype Pollution vulnerability
GHSA-9m93-w8w6-76hh CVE-2023-3696 CRITICAL over 2 years ago
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
npm
No PRs yet
layui vulnerable to cross-site scripting
GHSA-hx4h-676r-j3qp CVE-2023-3691 MODERATE over 2 years ago
A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Att...
npm
No PRs yet
CleverTap Cordova plugin vulnerable to Cross-site Scripting
GHSA-x2ph-qqwm-9cc6 CVE-2023-2507 CRITICAL over 2 years ago
CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constr...
npm
No PRs yet
webmention.js Cross-site Scripting vulnerability
GHSA-r54g-4qq6-chxg CVE-2023-3672 HIGH over 2 years ago
webmention.js prior to 0.5.5 is vulnerable to cross-site scripting.
npm
No PRs yet
vm2 Sandbox Escape vulnerability
GHSA-cchq-frgv-rjh5 CVE-2023-37466 CRITICAL over 2 years ago
In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. ...
npm
No PRs yet
vm2 Sandbox Escape vulnerability
GHSA-g644-9gfx-q4q4 CVE-2023-37903 CRITICAL over 2 years ago
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. ### Impact Remote...
npm
No PRs yet
Vendure Cross Site Request Forgery vulnerability impacting all API requests
GHSA-h9wq-xcqx-mqxm LOW over 2 years ago
### Impact Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings a...
npm
No PRs yet
tarteaucitron.js vulnerable to Cross-site Scripting
GHSA-f44m-65h3-99vc CVE-2023-3620 MODERATE over 2 years ago
Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1.
npm
No PRs yet
ckeditor-wordcount-plugin vulnerable to Cross-site Scripting in Source Mode of Editor
GHSA-q9w4-w667-qqj4 CVE-2023-37905 MODERATE over 2 years ago
### Problem It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching...
npm
No PRs yet
sweetalert2 contains potentially undesirable behavior
GHSA-mrr8-v49w-3333 LOW over 2 years ago
`sweetalert2` versions from 11.6.14 to before 11.22.4 have potentially undesirable behavior. The package outputs audio and/or video messages that d...
npm
No PRs yet
is_js vulnerable to Regular Expression Denial of Service
GHSA-pvrw-g6fx-mcx2 CVE-2020-26302 HIGH over 2 years ago
is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expressio...
npm
No PRs yet
snyk Code Injection vulnerability
GHSA-4vrv-93c7-m92j CVE-2022-24441 HIGH over 2 years ago
The package snyk before 1.1064.0 is vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious ...
npm
No PRs yet
@vendure/admin-ui-plugin authenticated Cross-site Scripting vulnerability
GHSA-gm68-572p-q28r MODERATE over 2 years ago
### Impact Vendure provides an authorization system with different levels of privileges. For example, an administrator cannot create another admini...
npm
No PRs yet
@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
GHSA-g8x5-p9qc-cf95 CVE-2023-31999 HIGH over 2 years ago
### Impact All versions of @fastify/oauth2 used a statically generated `state` parameter at startup time and were used across all requests for all...
npm
No PRs yet
protobufjs Prototype Pollution vulnerability
GHSA-h755-8qp9-cq85 CVE-2023-36665 CRITICAL over 2 years ago
protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A...
npm
9
Dependabot PRs
25%
Merged
tough-cookie Prototype Pollution vulnerability
GHSA-72xf-g2v4-qvf3 CVE-2023-26136 MODERATE over 2 years ago
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in...
npm
9
Dependabot PRs
22%
Merged
llhttp vulnerable to HTTP request smuggling
GHSA-cggh-pq45-6h9x CVE-2023-30589 HIGH over 2 years ago
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Reques...
npm
1
Dependabot PRs
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
GHSA-462x-c3jw-7vr6 CVE-2023-36475 CRITICAL over 2 years ago
### Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. ### Patches Pre...
npm
No PRs yet
angular-ui-notification Cross-site Scripting vulnerability
GHSA-mrcj-5qxr-vhp2 CVE-2023-34840 MODERATE over 2 years ago
angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability.
npm
No PRs yet
Joplin Cross-site Scripting vulnerability
GHSA-7grw-xfx6-qhx6 CVE-2023-37298 MODERATE over 2 years ago
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
npm
No PRs yet
Joplin Cross-site Scripting vulnerability
GHSA-4jjv-p8x9-rrf7 CVE-2023-37299 MODERATE over 2 years ago
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
npm
No PRs yet
flatnest Prototype Pollution vulnerability
GHSA-7px2-3c2p-q4v4 CVE-2023-26135 HIGH over 2 years ago
All versions of the package flatnest are vulnerable to Prototype Pollution via the `nest()` function in `flatnest/nest.js` file.
npm
No PRs yet
git-commit-info vulnerable to Command Injection
GHSA-h42j-mrmp-9369 CVE-2023-26134 HIGH over 2 years ago
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo() fail...
npm
No PRs yet
Shescape potential environment variable exposure on Windows with CMD
GHSA-3g7p-8qhx-mc8r CVE-2023-35931 LOW over 2 years ago
### Impact This impact users of Shescape: 1. On Windows using the Windows Command Prompt (i.e. `cmd.exe`), and 2. Using `quote`/`quoteAll` or `es...
npm
No PRs yet
word-wrap vulnerable to Regular Expression Denial of Service
GHSA-j8xg-fqg3-53r7 CVE-2023-26115 MODERATE over 2 years ago
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expres...
npm
1130
Dependabot PRs
16%
Merged
passport-wsfed-saml2 Signature Bypass vulnerability
GHSA-5wrg-8fxp-cx9r HIGH over 2 years ago
## Information Please note that this is not a new disclosure, and is previously reported in our [SECURITY-NOTICE.md](https://github.com/auth0/passp...
npm
No PRs yet
Backstage Scaffolder plugin has insecure sandbox
GHSA-wg6p-jmpc-xjmr CVE-2023-35926 HIGH over 2 years ago
The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library u...
npm
No PRs yet
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token
GHSA-77fw-rf4v-vfp9 CVE-2017-16897 HIGH over 2 years ago
## Information Please note that this is not a new disclosure, and is previously reported in our [SECURITY-NOTICE.md](https://github.com/auth0/passp...
npm
No PRs yet
semver vulnerable to Regular Expression Denial of Service
GHSA-c2qf-rxjj-qqgw CVE-2022-25883 HIGH over 2 years ago
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable t...
npm
161
Dependabot PRs
15%
Merged
When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id
GHSA-7hh3-3x64-v2g9 CVE-2023-35167 MODERATE over 2 years ago
### Impact If you used the [apiPrefilter](https://remult.dev/docs/ref_entity.html#apiprefilter) option of the `@Entity` decorator, by setting it to...
npm
No PRs yet
AWS CDK EKS overly permissive trust policies
GHSA-rx28-r23p-2qc3 CVE-2023-35165 MODERATE over 2 years ago
If you are using the `eks.Cluster` or `eks.FargateCluster` construct we need you to take action. Other users are not affected and can stop reading....
npm
No PRs yet
OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
GHSA-wprv-93r4-jj2p CVE-2023-34459 MODERATE over 2 years ago
### Impact When the `verifyMultiProof`, `verifyMultiProofCalldata`, `processMultiProof`, or `processMultiProofCalldata` functions are in use, it i...
npm
89
Dependabot PRs
6%
Merged
@apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces
GHSA-68jh-rf6x-836f LOW over 2 years ago
### Context Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnera...
npm
No PRs yet
fast-xml-parser regex vulnerability patch could be improved from a safety perspective
GHSA-gpv5-7x3g-ghjv LOW over 2 years ago
### Summary This is a comment on https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw and the patches fix...
npm
13
Dependabot PRs
18%
Merged
@keystone-6/auth Open Redirect vulnerability
GHSA-jqxr-vjvv-899m CVE-2023-34247 MODERATE over 2 years ago
### Summary There is an open redirect in the `@keystone-6/auth` package, where the redirect leading `/` filter can be bypassed. ### Impact Users m...
npm
No PRs yet
nuxt Code Injection vulnerability
GHSA-gc34-5v43-h7v8 CVE-2023-3224 CRITICAL over 2 years ago
he Nuxt dev server between versions 3.4.0 and 3.4.3 is vulnerable to code injection when it is exposed publicly.
npm
No PRs yet