We’ve disclosed 3307 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.
Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the srcset
attribute, which allows bypassing the imgSrcSanitizationTrustedUrlList
allowlist. An attacker can manipulate the content presented to other users by setting a srcset
value to retrieve data from an unintended domain.
netfetcher is a malicious package. This package nominally imitates some other popular packages, and downloads and runs malicious Windows executables that install spyware and communicate with C2 servers.
Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to missing TLS hostname verification in the Kafka client configuration. An attacker can intercept or manipulate the data in transit by exploiting the lack of proper validation of the server's identity.
Prototype Pollution in dset (npm)
Denial of Service (DoS) in aaptjs (npm)
Prototype Pollution in node-gettext (npm)
Command Injection in aaptjs (npm)
Insecure Randomness in github.com/greenpau/go-authcrunch/pkg/util (golang)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.