Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versio…
[github.com/ipfs/go-ipfs] Opened exploitable ports in default docker-compose.yaml in go-ipfs
Impact
Allows admin API access to the IPFS node.
Who ?
This affects people running the docker-compose.yaml service in an environment where the docker host is directly attached to a public or untrusted IP. In the vulnerable version, the private API en…
[yourls/yourls] Cross-Site Request Forgery in yourls/yourls
Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-0088
https://github.com/yourls/yourls/commit/1de256d8694b0ec7d4df2ac1d5976d4055e09d59
https://huntr.dev/bounties/…
[craftcms/cms] Cross-site Scripting in craftcms/cms
Craft CMS before 3.7.29 allows cross-site scripting.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-28378
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3729—2022-01-18
https://github.com/craftcms/cms/commit/7ca2b2d2ccecfb524525afc8…
[@rocket.chat/livechat] Cross-site Scripting in @rocket.chat/livechat
A blind self XSS vulnerability exists in RocketChat LiveChat versions lower than 1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-21830
https://hacke…
[org.springframework.cloud:spring-cloud-function-context] Code Injection in Spring Cloud Function
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to…
[consoleme] Use of Externally-Controlled Format String in consoleme
A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2
References
https://nvd.nist.gov/vuln/detail/CVE-2022-27177
https://github.com/Netflix/security-bulletins/…
[cocoapods-downloader] Command injection in cocoapods-downloader
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters ar…
[cocoapods-downloader] Command injection in cocoapods-downloader
The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that addi…
[simple-git] Command injection in simple-git
Git-js is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack ve…