We’ve disclosed3392vulnerabilities
by Snyk Security
Researchers
Snyk Vulnerability Database
The leading database for open source vulnerabilities and cloud misconfigurations.
Embedded Malicious Code
Affecting @solana/web3.js package, versions >=1.95.6 <1.95.8
How to fix?
Avoid using all malicious instances of the @solana/web3.js package.
Vulnerabilities from the last week
Heap-based Buffer Overflow
Affects
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow in v8, when processing a very large number of parameters.
Improper Validation of Certificate with Host Mismatch
Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in components/octoprint, which uses custom Octoprint HTTP sessions. The default ssl parameter configuration uses the value False or None, which causes the SSL verification functionality to run and prevents information exposure. But in the Octoprint integration these default SSLContext settings can be bypassed by passing in use-ssl=true, which results in malicious connections appearing trusted and allowing MitM attacks.
Cross-site Scripting (XSS)
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the Resource and Permissions module of the admin console. A privileged user can inject scripts during the creation of a permission.
Recent vulnerabilities disclosed by Snyk
- M
Cross-site Scripting (XSS) in tarteaucitronjs (npm)- C
Remote Code Execution (RCE) in jsonpath-plus (npm)- H
Regular Expression Denial of Service (ReDoS) in parse-duration (npm)- M
Server-side Request Forgery (SSRF) in hackney (hex)- H
Improper Input Validation in spatie/browsershot (composer)
About Snyk
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
