diff --git "a/CVE-React.csv" "b/CVE-React.csv" new file mode 100644--- /dev/null +++ "b/CVE-React.csv" @@ -0,0 +1,134 @@ +"Name","Status","Description","References","Phase","Votes", +CVE-1999-0454;Candidate;A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.;MISC:https://exchange.xforce.ibmcloud.com/vulnerabilities/2048;Proposed (19990728); MODIFY(1) Frech | NOOP(2) Christey, Wall | REJECT(2) Baker, Northcutt +CVE-2002-0956;Candidate;BlackICE Agent 3.1.eal does not always reactivate after a system standby, which could allow remote attackers and local users to bypass intended firewall restrictions.;BID:4950 | URL:http://www.securityfocus.com/bid/4950 | BUGTRAQ:20020606 KPMG-2002019: BlackICE Agent not Firewalling After Standby | URL:http://online.securityfocus.com/archive/1/275710 | VULNWATCH:20020606 [VulnWatch] KPMG-2002019: BlackICE Agent not Firewalling After Standby | URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0090.html | XF:blackice-standby-inactivate(9275) | URL:http://www.iss.net/security_center/static/9275.php;Proposed (20020830); ACCEPT(1) Frech | NOOP(2) Cole, Foat | REVIEWING(1) Wall +CVE-2002-0958;Entry;Cross-site scripting vulnerability in browse.php for PHP(Reactor) 1.2.7 allows remote attackers to execute script as other users via the go parameter in the comments section.;BID:4952 | URL:http://www.securityfocus.com/bid/4952 | BUGTRAQ:20020606 [ARL02-A12] PHP(Reactor) Cross Site Scripting Vulnerability | URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0034.html | CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=91877 | XF:phpreactor-browse-xss(9280) | URL:http://www.iss.net/security_center/static/9280.php;; +CVE-2002-1682;Candidate;NewsReactor 1.0 uses a weak encryption scheme, which could allow local users to decrypt the passwords and gain access to other users' newsgroup accounts.;BID:3927 | URL:http://www.securityfocus.com/bid/3927 | MISC:http://www.securiteam.com/windowsntfocus/5SP0P0K60C.html | XF:newsreactor-insecure-password(7968) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/7968;Assigned (20050621);None (candidate not yet proposed) +CVE-2002-2424;Candidate;Cross-site scripting (XSS) vulnerability in PHP(Reactor) 1.2.7 pl1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the style attribute of an HTML tag.;BID:5569 | URL:http://www.securityfocus.com/bid/5569 | BUGTRAQ:20020824 phpReactor - Cross-Site Scripting via STYLE | URL:http://archives.neohapsis.com/archives/bugtraq/2002-08/0262.html | XF:phpreactor-style-xss(9958) | URL:http://www.iss.net/security_center/static/9958.php;Assigned (20071101);None (candidate not yet proposed) +CVE-2006-3983;Candidate;PHP remote file inclusion vulnerability in editprofile.php in php(Reactor) 1.27pl1 allows remote attackers to execute arbitrary PHP code via a URL in the pathtohomedir parameter.;BID:19259 | URL:http://www.securityfocus.com/bid/19259 | EXPLOIT-DB:2095 | URL:https://www.exploit-db.com/exploits/2095 | VUPEN:ADV-2006-3087 | URL:http://www.vupen.com/english/advisories/2006/3087 | XF:phpreactor-editprofile-file-include(28100) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/28100;Assigned (20060804);None (candidate not yet proposed) +CVE-2006-4073;Candidate;Multiple PHP remote file inclusion vulnerabilities in Fabian Hainz phpCC Beta 4.2 allow remote attackers to execute arbitrary PHP code via a URL in the base_dir parameter to (1) login.php, (2) reactivate.php, or (3) register.php.;BID:19376 | URL:http://www.securityfocus.com/bid/19376 | BUGTRAQ:20060806 SolpotCrew Advisory #6 - phpCC - Beta 4.2 (base_dir) Remote File Inclusion | URL:http://www.securityfocus.com/archive/1/442428/100/0/threaded | EXPLOIT-DB:2134 | URL:https://www.exploit-db.com/exploits/2134 | MISC:http://www.solpotcrew.org/adv/solpot-adv-05.txt | VUPEN:ADV-2006-3199 | URL:http://www.vupen.com/english/advisories/2006/3199 | XF:phpcc-login-file-include(28259) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/28259;Assigned (20060810);None (candidate not yet proposed) +CVE-2007-1568;Candidate;Stack-based buffer overflow in DaanSystems NewsReactor 20070220.21 allows remote attackers to execute arbitrary code via a yEnc (yEncode) encoded article with a long filename.;EXPLOIT-DB:3462 | URL:https://www.exploit-db.com/exploits/3462 | EXPLOIT-DB:3463 | URL:https://www.exploit-db.com/exploits/3463 | OSVDB:34035 | URL:http://osvdb.org/34035 | SECUNIA:24487 | URL:http://secunia.com/advisories/24487 | VUPEN:ADV-2007-0934 | URL:http://www.vupen.com/english/advisories/2007/0934;Assigned (20070321);None (candidate not yet proposed) +CVE-2007-1724;Candidate;"Unspecified vulnerability in ReactOS 0.3.1 has unknown impact and attack vectors, related to a fix for ""dozens of win32k bugs and failures,"" in which the fix itself introduces a vulnerability, possibly related to user-mode and kernel-mode copy failures.";CONFIRM:http://www.reactos.org/wiki/index.php/ChangeLog-0.3.1 | OSVDB:43446 | URL:http://osvdb.org/43446;Assigned (20070327);None (candidate not yet proposed) +CVE-2007-3066;Candidate;"Multiple PHP remote file inclusion vulnerabilities in php(Reactor) 1.2.7 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the pathtohomedir parameter to (1) view.inc.php, (2) users.inc.php, (3) updatecms.inc.php, and (4) polls.inc.php in inc/; and other unspecified files, different vectors than CVE-2006-3983.";BUGTRAQ:20070601 phpreactor <===1.2.7 remote file include | URL:http://www.securityfocus.com/archive/1/470241/100/0/threaded | OSVDB:38375 | URL:http://osvdb.org/38375 | OSVDB:38376 | URL:http://osvdb.org/38376 | OSVDB:38377 | URL:http://osvdb.org/38377 | OSVDB:38378 | URL:http://osvdb.org/38378 | SREASON:2773 | URL:http://securityreason.com/securityalert/2773 | XF:phpreactor-pathtohomedir-file-include(34674) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/34674;Assigned (20070605);None (candidate not yet proposed) +CVE-2007-4244;Candidate;PHP remote file inclusion vulnerability in langset.php in J! Reactions (com_jreactions) 1.8.1 and earlier, a Joomla! component, allows remote attackers to execute arbitrary PHP code via a URL in the comPath parameter.;BID:25198 | URL:http://www.securityfocus.com/bid/25198 | BUGTRAQ:20070803 Joomla J! Reactions Component Remote File include Bug | URL:http://www.securityfocus.com/archive/1/475544/100/0/threaded | BUGTRAQ:20070818 Re: Joomla J! Reactions Component Remote File include Bug | URL:http://www.securityfocus.com/archive/1/477144/100/0/threaded | BUGTRAQ:20070820 Re: Re: Joomla J! Reactions Component Remote File include Bug | URL:http://www.securityfocus.com/archive/1/477245/100/0/threaded | MISC:http://yollubunlar.org/joomla-j-reactions-component-rfi-75.html | SREASON:2984 | URL:http://securityreason.com/securityalert/2984 | XF:jreactions-langset-file-include(35808) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/35808;Assigned (20070808);None (candidate not yet proposed) +CVE-2007-4844;Candidate;"X-Diesel Unreal Commander 0.92 build 565 and 573 does not properly react to an FTP server's behavior after sending a ""CWD /"" command, which allows remote FTP servers to cause a denial of service (infinite loop) by (1) repeatedly sending a 550 error response, or (2) sending a 550 error response and then disconnecting.";BID:25583 | URL:http://www.securityfocus.com/bid/25583 | BUGTRAQ:20070906 [HISPASEC] 2K7SEPT6 X-Diesel Unreal Commander v0.92 (build 573) multiple FTP-based vulnerabilities | URL:http://www.securityfocus.com/archive/1/478728/100/0/threaded | MISC:http://blog.hispasec.com/lab/advisories/adv_UnrealCommander_0_92_build_573_Multiple_FTP_Based_Vulnerabilities.txt | OSVDB:39616 | URL:http://osvdb.org/39616 | SREASON:3125 | URL:http://securityreason.com/securityalert/3125 | XF:unrealcommander-ftp-dos(36488) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/36488;Assigned (20070912);None (candidate not yet proposed) +CVE-2007-4949;Candidate;** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in php(Reactor) 1.2.7pl1 allow remote attackers to execute arbitrary PHP code via a URL in the pathtohomedir parameter to (1) ekilat.com-int.tpl.php, (2) phpreactor.org-top.tpl.php, or (3) ekilat.com-top.tpl.php in examples/. NOTE: this issue has been disputed by CVE, since the vulnerability is present only when the product is incorrectly installed by placing examples/ under the web root.;MISC:http://arfis.wordpress.com/2007/09/14/rfi-03-phpreactor/ | OSVDB:43139 | URL:http://osvdb.org/43139;Assigned (20070918);None (candidate not yet proposed) +CVE-2008-3851;Candidate;"Multiple directory traversal vulnerabilities in Pluck CMS 4.5.2 on Windows allow remote attackers to include and execute arbitrary local files via a ..\ (dot dot backslash) in the (1) blogpost, (2) cat, and (3) file parameters to data/inc/themes/predefined_variables.php, as reachable through index.php; and the (4) blogpost and (5) cat parameters to data/inc/blog_include_react.php, as reachable through index.php. NOTE: the issue involving vectors 1 through 3 reportedly exists because of an incomplete fix for CVE-2008-3194.";BID:30820 | URL:http://www.securityfocus.com/bid/30820 | BUGTRAQ:20080825 [DSECRG-08-037] Multiple Local File Include Vulnerabilities in Pluck CMS 4.5.2 | URL:http://www.securityfocus.com/archive/1/495706/100/0/threaded | CONFIRM:http://www.pluck-cms.org/releasenotes.php#4.5.3 | EXPLOIT-DB:6300 | URL:https://www.exploit-db.com/exploits/6300 | SECUNIA:31607 | URL:http://secunia.com/advisories/31607 | SREASON:4195 | URL:http://securityreason.com/securityalert/4195 | XF:pluck-index-file-include(44677) | URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/44677;Assigned (20080827);None (candidate not yet proposed) +CVE-2010-2446;Candidate;Rbot Reaction plugin allows command execution;MISC:https://security-tracker.debian.org/tracker/CVE-2010-2446 | MISC:https://www.securityfocus.com/archive/1/509719/30/0/threaded;Assigned (20100624);None (candidate not yet proposed) +CVE-2013-4446;Candidate;The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection.;MISC:FEDORA-2013-20942 | URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html | MISC:FEDORA-2013-20965 | URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html | MISC:FEDORA-2013-20976 | URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html | MISC:http://drupalcode.org/project/context.git/commitdiff/63ef4d9 | URL:http://drupalcode.org/project/context.git/commitdiff/63ef4d9 | MISC:http://drupalcode.org/project/context.git/commitdiff/d7b4afa | URL:http://drupalcode.org/project/context.git/commitdiff/d7b4afa | MISC:https://drupal.org/node/2112785 | URL:https://drupal.org/node/2112785 | MISC:https://drupal.org/node/2112791 | URL:https://drupal.org/node/2112791 | MISC:https://drupal.org/node/2113317 | URL:https://drupal.org/node/2113317;Assigned (20130612);None (candidate not yet proposed) +CVE-2016-10697;Candidate;react-native-baidu-voice-synthesizer is a baidu voice speech synthesizer for react native. react-native-baidu-voice-synthesizer downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.;MISC:https://nodesecurity.io/advisories/302;Assigned (20171029);None (candidate not yet proposed) +CVE-2016-2166;Candidate;The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.;"BUGTRAQ:20160323 CVE-2016-2166: Apache Qpid Proton python binding silently ignores request for 'amqps' if SSL/TLS not supported | URL:http://www.securityfocus.com/archive/1/537864/100/0/threaded | CONFIRM:http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html | CONFIRM:https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a058585 | CONFIRM:https://issues.apache.org/jira/browse/PROTON-1157 | FEDORA:FEDORA-2016-e6e8436b98 | URL:http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html | MISC:http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html | MLIST:[qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223 | URL:https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E";Assigned (20160129);None (candidate not yet proposed) +CVE-2017-1000386;Candidate;Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Active Choices now sanitizes the HTML inserted on the 'Build With Parameters' page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up to the administrator to allow or disallow problematic script output.;BID:101538 | URL:http://www.securityfocus.com/bid/101538 | CONFIRM:https://jenkins.io/security/advisory/2017-10-23/;Assigned (20171129);None (candidate not yet proposed) +CVE-2017-16028;Candidate;react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).;MISC:https://github.com/tableflip/react-native-meteor-oauth/blob/a7eb738b74c469f5db20296b44b7cae4e2337435/src/meteor-oauth.js#L66 | MISC:https://nodesecurity.io/advisories/157;Assigned (20171029);None (candidate not yet proposed) +CVE-2017-7916;Candidate;A Permissions, Privileges, and Access Controls issue was discovered in ABB VSN300 WiFi Logger Card versions 1.8.15 and prior, and VSN300 WiFi Logger Card for React versions 2.1.3 and prior. The web application does not properly restrict privileges of the Guest account. A malicious user may be able to gain access to configuration information that should be restricted.;BID:99558 | URL:http://www.securityfocus.com/bid/99558 | MISC:http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1977&LanguageCode=en&DocumentPartId=&Action=Launch | MISC:https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03;Assigned (20170418);None (candidate not yet proposed) +CVE-2017-7920;Candidate;An Improper Authentication issue was discovered in ABB VSN300 WiFi Logger Card versions 1.8.15 and prior, and VSN300 WiFi Logger Card for React versions 2.1.3 and prior. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access internal information about status and connected devices without authenticating.;BID:99558 | URL:http://www.securityfocus.com/bid/99558 | MISC:http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1977&LanguageCode=en&DocumentPartId=&Action=Launch | MISC:https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03;Assigned (20170418);None (candidate not yet proposed) +CVE-2018-6341;Candidate;React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.;MISC:https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html | MISC:https://twitter.com/reactjs/status/1024745321987887104;Assigned (20180126);None (candidate not yet proposed) +CVE-2018-6342;Candidate;react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.;MISC:https://github.com/facebook/create-react-app/pull/4866 | MISC:https://github.com/facebook/create-react-app/releases/tag/v1.1.5;Assigned (20180126);None (candidate not yet proposed) +CVE-2018-7197;Candidate;An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL.;MISC:https://github.com/pluck-cms/pluck/issues/47;Assigned (20180217);None (candidate not yet proposed) +CVE-2018-7838;Candidate;A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP CWD command with a data length greater than 1020 bytes. A power cycle is then needed to reactivate the FTP service.;MISC:https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-190-03;Assigned (20180308);None (candidate not yet proposed) +CVE-2019-11284;Candidate;Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.;CONFIRM:https://pivotal.io/security/cve-2019-11284;Assigned (20190418);None (candidate not yet proposed) +CVE-2019-12153;Candidate;Lack of validation in the HTML parser in RealObjects PDFreactor before 10.1.10722 leads to SSRF, allowing attackers to access network or file resources on behalf of the server by supplying malicious HTML content.;CONFIRM:https://www.pdfreactor.com/important-pdfreactor-security-advisory/ | CONFIRM:https://www.pdfreactor.com/pdfreactor-10-maintenance-release-10-1-10722-now-available/ | MISC:https://blog.gdssecurity.com/labs/2019/5/28/ssrf-and-xxe-vulnerabilities-in-pdfreactor.html;Assigned (20190517);None (candidate not yet proposed) +CVE-2019-12154;Candidate;XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions.;CONFIRM:https://www.pdfreactor.com/important-pdfreactor-security-advisory/ | CONFIRM:https://www.pdfreactor.com/pdfreactor-10-maintenance-release-10-1-10722-now-available/ | MISC:https://blog.gdssecurity.com/labs/2019/5/28/ssrf-and-xxe-vulnerabilities-in-pdfreactor.html;Assigned (20190517);None (candidate not yet proposed) +CVE-2019-12164;Candidate;ubuntu-server.js in Status React Native Desktop before v0.57.8_mobile_ui allows Remote Code Execution.;CONFIRM:https://github.com/status-im/react-native-desktop/compare/e77167f...7477eef | CONFIRM:https://github.com/status-im/react-native-desktop/pull/475 | CONFIRM:https://github.com/status-im/react-native-desktop/pull/475/commits/f6945f1e4b157c69e414cd94fe5cde1876aabcc1;Assigned (20190517);None (candidate not yet proposed) +CVE-2019-13347;Candidate;"An issue was discovered in the SAML Single Sign On (SSO) plugin for several Atlassian products affecting versions 3.1.0 through 3.2.2 for Jira and Confluence, versions 2.4.0 through 3.0.3 for Bitbucket, and versions 2.4.0 through 2.5.2 for Bamboo. It allows locally disabled users to reactivate their accounts just by browsing the affected Jira/Confluence/Bitbucket/Bamboo instance, even when the applicable configuration option of the plugin has been disabled (""Reactivate inactive users""). Exploiting this vulnerability requires an attacker to be authorized by the identity provider and requires that the plugin's configuration option ""User Update Method"" have the ""Update from SAML Attributes"" value.";MISC:https://marketplace.atlassian.com/apps/1212129/saml-single-sign-on-sso-confluence?hosting=server&tab=overview | MISC:https://wiki.resolution.de/doc/saml-sso/latest/all/security-advisories/2019-07-11-users-are-always-re-enabled-during-login-when-updated;Assigned (20190705);None (candidate not yet proposed) +CVE-2019-14261;Candidate;"An issue was discovered on ABUS Secvest FUAA50000 3.01.01 devices. Due to an insufficient implementation of jamming detection, an attacker is able to suppress correctly received RF messages sent between wireless peripheral components, e.g., wireless detectors or remote controls, and the ABUS Secvest alarm central. An attacker is able to perform a ""reactive jamming"" attack. The reactive jamming simply detects the start of a RF message sent by a component of the ABUS Secvest wireless alarm system, for instance a wireless motion detector (FUBW50000) or a remote control (FUBE50014 or FUBE50015), and overlays it with random data before the original RF message ends. Thereby, the receiver (alarm central) is not able to properly decode the original transmitted signal. This enables an attacker to suppress correctly received RF messages of the wireless alarm system in an unauthorized manner, for instance status messages sent by a detector indicating an intrusion.";BUGTRAQ:20190730 [SYSS-2019-004]: ABUS Secvest (FUAA50000) - Message Transmission - Unchecked Error Condition (CWE-391) | URL:https://seclists.org/bugtraq/2019/Jul/52 | FULLDISC:20190726 [SYSS-2019-004]: ABUS Secvest (FUAA50000) - Message Transmission - Unchecked Error Condition (CWE-391) (CVE-2019-14261) | URL:http://seclists.org/fulldisclosure/2019/Jul/30 | MISC:http://packetstormsecurity.com/files/153780/ABUS-Secvest-3.01.01-Unchecked-Message-Transmission-Error-Condition.html | MISC:https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-004.txt;Assigned (20190725);None (candidate not yet proposed) +CVE-2019-16770;Candidate;In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.;CONFIRM:https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 | MLIST:[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update | URL:https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html;Assigned (20190924);None (candidate not yet proposed) +CVE-2019-20902;Candidate;Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.;MISC:https://jira.atlassian.com/browse/CWD-5409 | URL:https://jira.atlassian.com/browse/CWD-5409;Assigned (20200707);None (candidate not yet proposed) +CVE-2019-7176;Candidate;An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility.;CONFIRM:https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ | CONFIRM:https://gitlab.com/gitlab-org/gitlab-ce/issues/51332;Assigned (20190129);None (candidate not yet proposed) +CVE-2020-12113;Candidate;BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.;MISC:https://github.com/bigbluebutton/bigbluebutton/pull/9017 | MISC:https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4 | MISC:https://www.sakshamanand.com/cve-2020-12113/;Assigned (20200423);None (candidate not yet proposed) +CVE-2020-12270;Candidate;** DISPUTED ** React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it was a false alert if contact-history comparison fails (i.e., an F0 is not actually part of the contact history obtained from the device of this recipient, or this recipient is not actually part of the contact history obtained from the device of an F0).;MISC:https://bluezone.ai/CVE | MISC:https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/CHANGELOG.md | MISC:https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/package.json#L27 | MISC:https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/AndroidManifest.xml#L11-L12 | MISC:https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/BluezonerIdGenerator.java#L18-L28 | MISC:https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/TraceCovidModule.java#L98 | MISC:https://vnhacker.blogspot.com/2020/04/vietnams-contact-tracing-app_26.html;Assigned (20200427);None (candidate not yet proposed) +CVE-2020-1896;Candidate;A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2 | URL:https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2 | CONFIRM:https://www.facebook.com/security/advisories/cve-2020-1896 | URL:https://www.facebook.com/security/advisories/cve-2020-1896;Assigned (20191202);None (candidate not yet proposed) +CVE-2020-1911;Candidate;A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/fe52854cdf6725c2eaa9e125995da76e6ceb27da | URL:https://github.com/facebook/hermes/commit/fe52854cdf6725c2eaa9e125995da76e6ceb27da | CONFIRM:https://www.facebook.com/security/advisories/cve-2020-1911 | URL:https://www.facebook.com/security/advisories/cve-2020-1911;Assigned (20191202);None (candidate not yet proposed) +CVE-2020-1912;Candidate;An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions in Facebook Hermes prior to commit 091835377369c8fd5917d9b87acffa721ad2a168 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/091835377369c8fd5917d9b87acffa721ad2a168 | URL:https://github.com/facebook/hermes/commit/091835377369c8fd5917d9b87acffa721ad2a168 | CONFIRM:https://www.facebook.com/security/advisories/cve-2020-1912 | URL:https://www.facebook.com/security/advisories/cve-2020-1912;Assigned (20191202);None (candidate not yet proposed) +CVE-2020-1913;Candidate;An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 | URL:https://github.com/facebook/hermes/commit/2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 | CONFIRM:https://www.facebook.com/security/advisories/cve-2020-1913 | URL:https://www.facebook.com/security/advisories/cve-2020-1913;Assigned (20191202);None (candidate not yet proposed) +CVE-2020-1914;Candidate;A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/b2021df620824627f5a8c96615edbd1eb7fdddfc | URL:https://github.com/facebook/hermes/commit/b2021df620824627f5a8c96615edbd1eb7fdddfc | CONFIRM:https://www.facebook.com/security/advisories/cve-2020-1914 | URL:https://www.facebook.com/security/advisories/cve-2020-1914;Assigned (20191202);None (candidate not yet proposed) +CVE-2020-1915;Candidate;An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 | URL:https://github.com/facebook/hermes/commit/8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 | CONFIRM:https://www.facebook.com/security/advisories/cve-2020-1915 | URL:https://www.facebook.com/security/advisories/cve-2020-1915;Assigned (20191202);None (candidate not yet proposed) +CVE-2020-1920;Candidate;A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.;CONFIRM:https://github.com/facebook/react-native/releases/tag/v0.64.1 | URL:https://github.com/facebook/react-native/releases/tag/v0.64.1 | MISC:https://github.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7 | URL:https://github.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7;Assigned (20191202);None (candidate not yet proposed) +CVE-2020-2290;Candidate;Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.;MISC:[oss-security] 20201008 Multiple vulnerabilities in Jenkins plugins | URL:http://www.openwall.com/lists/oss-security/2020/10/08/5 | MISC:https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2008 | URL:https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2008;Assigned (20191205);None (candidate not yet proposed) +CVE-2020-29483;Candidate;"An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by just removing the guest from xenstored's internal management, resulting in the same actions as if the guest had been destroyed, including sending an @releaseDomain event. @releaseDomain events do not say that the guest has been removed. All watchers of this event must look at the states of all guests to find the guest that has been removed. When an @releaseDomain is generated due to a domain xenstored protocol violation, because the guest is still running, the watchers will not react. Later, when the guest is actually destroyed, xenstored will no longer have it stored in its internal data base, so no further @releaseDomain event will be sent. This can lead to a zombie domain; memory mappings of that guest's memory will not be removed, due to the missing event. This zombie domain will be cleaned up only after another domain is destroyed, as that will trigger another @releaseDomain event. If the device model of the guest that violated the Xenstore protocol is running in a stub-domain, a use-after-free case could happen in xenstored, after having removed the guest from its internal data base, possibly resulting in a crash of xenstored. A malicious guest can block resources of the host for a period after its own death. Guests with a stub domain device model can eventually crash xenstored, resulting in a more serious denial of service (the prevention of any further domain management operations). Only the C variant of Xenstore is affected; the Ocaml variant is not affected. Only HVM guests with a stubdom device model can cause a serious DoS.";DEBIAN:DSA-4812 | URL:https://www.debian.org/security/2020/dsa-4812 | FEDORA:FEDORA-2020-64859a826b | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/ | FEDORA:FEDORA-2020-df772b417b | URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/ | MISC:https://xenbits.xenproject.org/xsa/advisory-325.txt;Assigned (20201203);None (candidate not yet proposed) +CVE-2020-35473;Candidate;An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.;MISC:https://dl.acm.org/doi/10.1145/3548606.3559372 | MISC:https://www.sigsac.org/ccs/CCS2022/proceedings/ccs-proceedings.html;Assigned (20201216);None (candidate not yet proposed) +CVE-2020-5303;Candidate;Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10.;CONFIRM:https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6 | URL:https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6 | MISC:https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd | URL:https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd | MISC:https://hackerone.com/reports/820317 | URL:https://hackerone.com/reports/820317;Assigned (20200102);None (candidate not yet proposed) +CVE-2020-5403;Candidate;Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.;CONFIRM:https://pivotal.io/security/cve-2020-5403;Assigned (20200103);None (candidate not yet proposed) +CVE-2020-5404;Candidate;The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.;CONFIRM:https://pivotal.io/security/cve-2020-5404;Assigned (20200103);None (candidate not yet proposed) +CVE-2020-7696;Candidate;"This affects all versions of package react-native-fast-image. When an image with source={{uri: ""..."", headers: { host: ""somehost.com"", authorization: ""..."" }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.";MISC:https://github.com/DylanVann/react-native-fast-image/issues/690 | URL:https://github.com/DylanVann/react-native-fast-image/issues/690 | MISC:https://github.com/DylanVann/react-native-fast-image/pull/691 | URL:https://github.com/DylanVann/react-native-fast-image/pull/691 | MISC:https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228 | URL:https://snyk.io/vuln/SNYK-JS-REACTNATIVEFASTIMAGE-572228;Assigned (20200121);None (candidate not yet proposed) +CVE-2020-7787;Candidate;"This affects all versions of package react-adal. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and session keys are generated, the list of values is stored in the browser storage, separated by ||, with || always appended to the end of the list. Since || will always be the last 2 characters of the stored values, an empty string ("""") will always be in the list of the valid values. Therefore, if an empty session parameter is provided in the callback URL, and a specially-crafted JWT token contains an nonce value of """" (empty string), then adal.js will consider the JWT token as authentic.";MISC:https://github.com/salvoravida/react-adal/pull/115 | URL:https://github.com/salvoravida/react-adal/pull/115 | MISC:https://snyk.io/vuln/SNYK-JS-REACTADAL-1018907 | URL:https://snyk.io/vuln/SNYK-JS-REACTADAL-1018907;Assigned (20200121);None (candidate not yet proposed) +CVE-2021-20328;Candidate;"Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.";MISC:https://jira.mongodb.org/browse/JAVA-4017 | URL:https://jira.mongodb.org/browse/JAVA-4017;Assigned (20201217);None (candidate not yet proposed) +CVE-2021-21271;Candidate;"Tendermint Core is an open source Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. Tendermint Core v0.34.0 introduced a new way of handling evidence of misbehavior. As part of this, we added a new Timestamp field to Evidence structs. This timestamp would be calculated using the same algorithm that is used when a block is created and proposed. (This algorithm relies on the timestamp of the last commit from this specific block.) In Tendermint Core v0.34.0-v0.34.2, the consensus reactor is responsible for forming DuplicateVoteEvidence whenever double signs are observed. However, the current block is still “in flight” when it is being formed by the consensus reactor. It hasn’t been finalized through network consensus yet. This means that different nodes in the network may observe different “last commits” when assigning a timestamp to DuplicateVoteEvidence. In turn, different nodes could form DuplicateVoteEvidence objects at the same height but with different timestamps. One DuplicateVoteEvidence object (with one timestamp) will then eventually get finalized in the block, but this means that any DuplicateVoteEvidence with a different timestamp is considered invalid. Any node that formed invalid DuplicateVoteEvidence will continue to propose invalid evidence; its peers may see this, and choose to disconnect from this node. This bug means that double signs are DoS vectors in Tendermint Core v0.34.0-v0.34.2. Tendermint Core v0.34.3 is a security release which fixes this bug. As of v0.34.3, DuplicateVoteEvidence is no longer formed by the consensus reactor; rather, the consensus reactor passes the Votes themselves into the EvidencePool, which is now responsible for forming DuplicateVoteEvidence. The EvidencePool has timestamp info that should be consistent across the network, which means that DuplicateVoteEvidence formed in this reactor should have consistent timestamps. This release changes the API between the consensus and evidence reactors.";CONFIRM:https://github.com/tendermint/tendermint/security/advisories/GHSA-p658-8693-mhvg | URL:https://github.com/tendermint/tendermint/security/advisories/GHSA-p658-8693-mhvg | MISC:https://github.com/tendermint/tendermint/blob/v0.34.3/CHANGELOG.md#v0.34.3 | URL:https://github.com/tendermint/tendermint/blob/v0.34.3/CHANGELOG.md#v0.34.3 | MISC:https://github.com/tendermint/tendermint/commit/a2a6852ab99e4a0f9e79f0ea8c1726e262e25c76 | URL:https://github.com/tendermint/tendermint/commit/a2a6852ab99e4a0f9e79f0ea8c1726e262e25c76;Assigned (20201222);None (candidate not yet proposed) +CVE-2021-21320;Candidate;matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0.;CONFIRM:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-52mq-6jcv-j79x | URL:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-52mq-6jcv-j79x | MISC:https://github.com/matrix-org/matrix-react-sdk/commit/b386f0c73b95ecbb6ea7f8f79c6ff5171a8dedd1 | URL:https://github.com/matrix-org/matrix-react-sdk/commit/b386f0c73b95ecbb6ea7f8f79c6ff5171a8dedd1 | MISC:https://github.com/matrix-org/matrix-react-sdk/pull/5657 | URL:https://github.com/matrix-org/matrix-react-sdk/pull/5657 | MISC:https://www.npmjs.com/package/matrix-react-sdk | URL:https://www.npmjs.com/package/matrix-react-sdk;Assigned (20201222);None (candidate not yet proposed) +CVE-2021-21699;Candidate;Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.;MISC:[oss-security] 20211112 Multiple vulnerabilities in Jenkins plugins | URL:http://www.openwall.com/lists/oss-security/2021/11/12/1 | MISC:https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2219 | URL:https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2219;Assigned (20210104);None (candidate not yet proposed) +CVE-2021-23398;Candidate;All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.;MISC:https://github.com/AllenFang/react-bootstrap-table/blob/26d07defab759e4f9bce22d1d568690830b8d9d7/src/TableBody.js%23L114-L118 | URL:https://github.com/AllenFang/react-bootstrap-table/blob/26d07defab759e4f9bce22d1d568690830b8d9d7/src/TableBody.js%23L114-L118 | MISC:https://github.com/AllenFang/react-bootstrap-table/issues/2071 | URL:https://github.com/AllenFang/react-bootstrap-table/issues/2071 | MISC:https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314286 | URL:https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314286 | MISC:https://snyk.io/vuln/SNYK-JS-REACTBOOTSTRAPTABLE-1314285 | URL:https://snyk.io/vuln/SNYK-JS-REACTBOOTSTRAPTABLE-1314285;Assigned (20210108);None (candidate not yet proposed) +CVE-2021-24033;Candidate;react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.;CONFIRM:https://www.facebook.com/security/advisories/cve-2021-24033 | URL:https://www.facebook.com/security/advisories/cve-2021-24033 | MISC:https://github.com/facebook/create-react-app/pull/10644 | URL:https://github.com/facebook/create-react-app/pull/10644;Assigned (20210113);None (candidate not yet proposed) +CVE-2021-24037;Candidate;A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36e | URL:https://github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36e | CONFIRM:https://www.facebook.com/security/advisories/CVE-2021-24037 | URL:https://www.facebook.com/security/advisories/CVE-2021-24037;Assigned (20210113);None (candidate not yet proposed) +CVE-2021-24045;Candidate;"A type confusion vulnerability could be triggered when resolving the ""typeof"" unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.";CONFIRM:https://www.facebook.com/security/advisories/cve-2021-24045 | URL:https://www.facebook.com/security/advisories/cve-2021-24045 | MISC:https://github.com/facebook/hermes/commit/55e1b2343f4deb1a1b5726cfe1e23b2068217ff2 | URL:https://github.com/facebook/hermes/commit/55e1b2343f4deb1a1b5726cfe1e23b2068217ff2;Assigned (20210113);None (candidate not yet proposed) +CVE-2021-24723;Candidate;The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.;MISC:https://wpscan.com/vulnerability/0a46ae96-41e5-4b52-91c3-409f7387aecc | URL:https://wpscan.com/vulnerability/0a46ae96-41e5-4b52-91c3-409f7387aecc;Assigned (20210114);None (candidate not yet proposed) +CVE-2021-31712;Candidate;react-draft-wysiwyg (aka React Draft Wysiwyg) before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS.;CONFIRM:https://github.com/jpuri/react-draft-wysiwyg/commit/d2faeb612b53f10dff048de7dc57e1f4044b5380 | MISC:https://github.com/jpuri/react-draft-wysiwyg/issues/1102 | MISC:https://github.com/jpuri/react-draft-wysiwyg/pull/1104;Assigned (20210423);None (candidate not yet proposed) +CVE-2021-31838;Candidate;A command injection vulnerability in MVISION EDR (MVEDR) prior to 3.4.0 allows an authenticated MVEDR administrator to trigger the EDR client to execute arbitrary commands through PowerShell using the EDR functionality 'execute reaction'.;MISC:https://kc.mcafee.com/corporate/index?page=content&id=SB10342 | URL:https://kc.mcafee.com/corporate/index?page=content&id=SB10342;Assigned (20210427);None (candidate not yet proposed) +CVE-2021-32622;Candidate;Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. This vulnerability is patched in version 3.21.0.;CONFIRM:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9j-63rv | URL:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9j-63rv | MISC:https://github.com/matrix-org/matrix-react-sdk/pull/5981 | URL:https://github.com/matrix-org/matrix-react-sdk/pull/5981;Assigned (20210512);None (candidate not yet proposed) +CVE-2021-3311;Candidate;An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker.;CONFIRM:https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 | MISC:https://anisiosantos.me/october-cms-token-reactivation | MISC:https://octobercms.com/forum/chan/announcements;Assigned (20210126);None (candidate not yet proposed) +CVE-2021-37699;Candidate;Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.;CONFIRM:https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9 | URL:https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9 | MISC:https://github.com/vercel/next.js/releases/tag/v11.1.0 | URL:https://github.com/vercel/next.js/releases/tag/v11.1.0;Assigned (20210729);None (candidate not yet proposed) +CVE-2021-39178;Candidate;Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.;CONFIRM:https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m | URL:https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m | MISC:https://github.com/vercel/next.js/releases/tag/v11.1.1 | URL:https://github.com/vercel/next.js/releases/tag/v11.1.1;Assigned (20210816);None (candidate not yet proposed) +CVE-2021-41129;Candidate;Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere.;CONFIRM:https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4 | URL:https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4 | MISC:https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162 | URL:https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162 | MISC:https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977 | URL:https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977 | MISC:https://github.com/pterodactyl/panel/releases/tag/v1.6.2 | URL:https://github.com/pterodactyl/panel/releases/tag/v1.6.2;Assigned (20210915);None (candidate not yet proposed) +CVE-2021-41140;Candidate;Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post. In affected versions reactions given by user to secure topics and private messages are visible. This issue is patched in version 0.2 of discourse-reaction. Users who are unable to update are advised to disable the Discourse-reactions plugin in admin panel.;CONFIRM:https://github.com/discourse/discourse-reactions/security/advisories/GHSA-9358-hwg5-jrmh | URL:https://github.com/discourse/discourse-reactions/security/advisories/GHSA-9358-hwg5-jrmh | MISC:https://github.com/discourse/discourse-reactions/commit/213d90b82fd15c4186ebc290fee18817d9727d0d | URL:https://github.com/discourse/discourse-reactions/commit/213d90b82fd15c4186ebc290fee18817d9727d0d;Assigned (20210915);None (candidate not yet proposed) +CVE-2021-41176;Candidate;Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3.;CONFIRM:https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6 | URL:https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6 | MISC:https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 | URL:https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 | MISC:https://github.com/pterodactyl/panel/releases/tag/v1.6.3 | URL:https://github.com/pterodactyl/panel/releases/tag/v1.6.3;Assigned (20210915);None (candidate not yet proposed) +CVE-2021-41249;Candidate;GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than graphql-playground-react@1.7.28 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals. If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later.;CONFIRM:https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7 | URL:https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7 | MISC:https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8 | URL:https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8 | MISC:https://github.com/graphql/graphql-playground/commit/b8a956006835992f12c46b90384a79ab82bcadad | URL:https://github.com/graphql/graphql-playground/commit/b8a956006835992f12c46b90384a79ab82bcadad;Assigned (20210915);None (candidate not yet proposed) +CVE-2021-41273;Candidate;Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.;CONFIRM:https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6 | URL:https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6 | MISC:https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5 | URL:https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5;Assigned (20210915);None (candidate not yet proposed) +CVE-2021-43803;Candidate;Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.;CONFIRM:https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx | URL:https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx | MISC:https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264 | URL:https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264 | MISC:https://github.com/vercel/next.js/pull/32080 | URL:https://github.com/vercel/next.js/pull/32080 | MISC:https://github.com/vercel/next.js/releases/tag/v11.1.3 | URL:https://github.com/vercel/next.js/releases/tag/v11.1.3 | MISC:https://github.com/vercel/next.js/releases/v12.0.5 | URL:https://github.com/vercel/next.js/releases/v12.0.5;Assigned (20211116);None (candidate not yet proposed) +CVE-2021-4427;Candidate;The Vuukle Comments, Reactions, Share Bar, Revenue plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.31. This is due to missing or incorrect nonce validation in the /admin/partials/free-comments-for-wordpress-vuukle-admin-display.php file. This makes it possible for unauthenticated attackers to edit the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.;MISC:https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | URL:https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | MISC:https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | URL:https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | MISC:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | URL:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | MISC:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | URL:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | MISC:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | URL:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | MISC:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | URL:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | MISC:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | URL:https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | MISC:https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2553337%40free-comments-for-wordpress-vuukle&new=2553337%40free-comments-for-wordpress-vuukle&sfp_email=&sfph_mail= | URL:https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2553337%40free-comments-for-wordpress-vuukle&new=2553337%40free-comments-for-wordpress-vuukle&sfp_email=&sfph_mail= | MISC:https://www.wordfence.com/threat-intel/vulnerabilities/id/ff28f33f-85d1-4987-975b-ee3bbcb394f4?source=cve | URL:https://www.wordfence.com/threat-intel/vulnerabilities/id/ff28f33f-85d1-4987-975b-ee3bbcb394f4?source=cve;Assigned (20230711);None (candidate not yet proposed) +CVE-2022-0981;Candidate;A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.;MISC:https://bugzilla.redhat.com/show_bug.cgi?id=2062520 | URL:https://bugzilla.redhat.com/show_bug.cgi?id=2062520 | MISC:https://github.com/quarkusio/quarkus/issues/23269 | URL:https://github.com/quarkusio/quarkus/issues/23269;Assigned (20220315);None (candidate not yet proposed) +CVE-2022-21404;Candidate;Vulnerability in the Helidon product of Oracle Fusion Middleware (component: Reactive WebServer). Supported versions that are affected are 1.4.10 and 2.0.0-RC1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Helidon. Successful attacks of this vulnerability can result in takeover of Helidon. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).;MISC:https://www.oracle.com/security-alerts/cpuapr2022.html | URL:https://www.oracle.com/security-alerts/cpuapr2022.html;Assigned (20211115);None (candidate not yet proposed) +CVE-2022-21721;Candidate;Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, `next@12.0.9`, that mitigates this issue. As a workaround, one may ensure `/${locale}/_next/` is blocked from reaching the Next.js instance until it becomes feasible to upgrade.;CONFIRM:https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x | URL:https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x | MISC:https://github.com/vercel/next.js/pull/33503 | URL:https://github.com/vercel/next.js/pull/33503 | MISC:https://github.com/vercel/next.js/releases/tag/v12.0.9 | URL:https://github.com/vercel/next.js/releases/tag/v12.0.9;Assigned (20211116);None (candidate not yet proposed) +CVE-2022-23646;Candidate;Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.;CONFIRM:https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj | URL:https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj | MISC:https://github.com/vercel/next.js/pull/34075 | URL:https://github.com/vercel/next.js/pull/34075 | MISC:https://github.com/vercel/next.js/releases/tag/v12.1.0 | URL:https://github.com/vercel/next.js/releases/tag/v12.1.0;Assigned (20220119);None (candidate not yet proposed) +CVE-2022-24373;Candidate;The package react-native-reanimated before 3.0.0-rc.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in the parser of Colors.js.;MISC:https://github.com/software-mansion/react-native-reanimated/pull/3382 | URL:https://github.com/software-mansion/react-native-reanimated/pull/3382 | MISC:https://github.com/software-mansion/react-native-reanimated/pull/3382/commits/7adf06d0c59382d884a04be86a96eede3d0432fa | URL:https://github.com/software-mansion/react-native-reanimated/pull/3382/commits/7adf06d0c59382d884a04be86a96eede3d0432fa | MISC:https://github.com/software-mansion/react-native-reanimated/releases/tag/3.0.0-rc.1 | URL:https://github.com/software-mansion/react-native-reanimated/releases/tag/3.0.0-rc.1 | MISC:https://security.snyk.io/vuln/SNYK-JS-REACTNATIVEREANIMATED-2949507 | URL:https://security.snyk.io/vuln/SNYK-JS-REACTNATIVEREANIMATED-2949507;Assigned (20220224);None (candidate not yet proposed) +CVE-2022-24709;Candidate;@awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. Multiple components in versions before 3.0.367 have been found to not properly neutralize user input and may allow for javascript injection. Users are advised to upgrade to version 3.0.367 or later. There are no known workarounds for this issue.;CONFIRM:https://github.com/aws/awsui-documentation/security/advisories/GHSA-mf22-92pm-m8p8 | URL:https://github.com/aws/awsui-documentation/security/advisories/GHSA-mf22-92pm-m8p8 | MISC:https://www.npmjs.com/package/@awsui/components-react | URL:https://www.npmjs.com/package/@awsui/components-react;Assigned (20220210);None (candidate not yet proposed) +CVE-2022-24740;Candidate;Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library.;CONFIRM:https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67 | URL:https://github.com/plone/volto/security/advisories/GHSA-cfhh-xgwq-5r67 | MISC:https://github.com/plone/volto/pull/3051 | URL:https://github.com/plone/volto/pull/3051;Assigned (20220210);None (candidate not yet proposed) +CVE-2022-24815;Candidate;"JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures. SQL Injection vulnerability in entities for applications generated with the option ""reactive with Spring WebFlux"" enabled and an SQL database using r2dbc. Applications created without ""reactive with Spring WebFlux"" and applications with NoSQL databases are not affected. Users who have generated a microservice Gateway using the affected version may be impacted as Gateways are reactive by default. Currently, SQL injection is possible in the findAllBy(Pageable pageable, Criteria criteria) method of an entity repository class generated in these applications as the where clause using Criteria for queries are not sanitized and user input is passed on as it is by the criteria. This issue has been patched in v7.8.1. Users unable to upgrade should be careful when combining criterias and conditions as the root of the issue lies in the `EntityManager.java` class when creating the where clause via `Conditions.just(criteria.toString())`. `just` accepts the literal string provided. Criteria's `toString` method returns a plain string and this combination is vulnerable to sql injection as the string is not sanitized and will contain whatever used passed as input using any plain SQL.";CONFIRM:https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-qjmq-8hjr-qcv6 | URL:https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-qjmq-8hjr-qcv6 | MISC:https://github.com/jhipster/generator-jhipster/commit/c220a210fd7742c53eea72bd5fadbb96220faa98 | URL:https://github.com/jhipster/generator-jhipster/commit/c220a210fd7742c53eea72bd5fadbb96220faa98 | MISC:https://github.com/jhipster/generator-jhipster/issues/18269 | URL:https://github.com/jhipster/generator-jhipster/issues/18269;Assigned (20220210);None (candidate not yet proposed) +CVE-2022-25863;Candidate;The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.;MISC:https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing | URL:https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing | MISC:https://github.com/gatsbyjs/gatsby/pull/35830 | URL:https://github.com/gatsbyjs/gatsby/pull/35830 | MISC:https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e | URL:https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e | MISC:https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699 | URL:https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699;Assigned (20220224);None (candidate not yet proposed) +CVE-2022-29230;Candidate;Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.;CONFIRM:https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f | URL:https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f | MISC:https://github.com/Shopify/hydrogen/pull/1272 | URL:https://github.com/Shopify/hydrogen/pull/1272 | MISC:https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0 | URL:https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0;Assigned (20220413);None (candidate not yet proposed) +CVE-2022-31103;Candidate;lettersanitizer is a DOM-based HTML email sanitizer for in-browser email rendering. All versions of lettersanitizer below 1.0.2 are affected by a denial of service issue when processing a CSS at-rule `@keyframes`. This package is depended on by [react-letter](https://github.com/mat-sz/react-letter), therefore everyone using react-letter is also at risk. The problem has been patched in version 1.0.2.;CONFIRM:https://github.com/mat-sz/lettersanitizer/security/advisories/GHSA-7r3r-gq8p-v9jj | URL:https://github.com/mat-sz/lettersanitizer/security/advisories/GHSA-7r3r-gq8p-v9jj | MISC:https://github.com/mat-sz/lettersanitizer/commit/96d3dfe2ef0465d47324ed4d13e91ba0816a173f | URL:https://github.com/mat-sz/lettersanitizer/commit/96d3dfe2ef0465d47324ed4d13e91ba0816a173f | MISC:https://github.com/mat-sz/react-letter/issues/17 | URL:https://github.com/mat-sz/react-letter/issues/17;Assigned (20220518);None (candidate not yet proposed) +CVE-2022-31684;Candidate;Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.;MISC:https://tanzu.vmware.com/security/cve-2022-31684 | URL:https://tanzu.vmware.com/security/cve-2022-31684;Assigned (20220525);None (candidate not yet proposed) +CVE-2022-32234;Candidate;An out of bounds write in hermes, while handling large arrays, prior to commit 06eaec767e376bfdb883d912cb15e987ddf2bda1 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/06eaec767e376bfdb883d912cb15e987ddf2bda1 | URL:https://github.com/facebook/hermes/commit/06eaec767e376bfdb883d912cb15e987ddf2bda1 | CONFIRM:https://www.facebook.com/security/advisories/CVE-2022-32234 | URL:https://www.facebook.com/security/advisories/CVE-2022-32234;Assigned (20220602);None (candidate not yet proposed) +CVE-2022-35289;Candidate;A write-what-where condition in hermes caused by an integer overflow, prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/5b6255ae049fa4641791e47fad994e8e8c4da374 | URL:https://github.com/facebook/hermes/commit/5b6255ae049fa4641791e47fad994e8e8c4da374 | CONFIRM:https://www.facebook.com/security/advisories/CVE-2022-35289 | URL:https://www.facebook.com/security/advisories/CVE-2022-35289;Assigned (20220706);None (candidate not yet proposed) +CVE-2022-36010;Candidate;"This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with ""function"" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. One important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/JsonTree.js) component should be ***unaffected***. This vulnerability exists in the default `onSubmitValueParser` prop which calls [`parse`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/master/src/utils/parse.js#L30). Prop is added to `JsonTree` called `allowFunctionEvaluation`. This prop will be set to `true` in v2.2.2, which allows upgrade without losing backwards-compatibility. In v2.2.2, we switched from using `eval` to using [`Function`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) to construct anonymous functions. This is better than `eval` for the following reasons: - Arbitrary code should not be able to execute immediately, since the `Function` constructor explicitly *only creates* anonymous functions - Functions are created without local closures, so they only have access to the global scope If you use: - **Version `<2.2.2`**, you must upgrade as soon as possible. - **Version `^2.2.2`**, you must explicitly set `JsonTree`'s `allowFunctionEvaluation` prop to `false` to fully mitigate this vulnerability. - **Version `>=3.0.0`**, `allowFunctionEvaluation` is already set to `false` by default, so no further steps are necessary.";CONFIRM:https://github.com/oxyno-zeta/react-editable-json-tree/security/advisories/GHSA-j3rv-w43q-f9x2 | URL:https://github.com/oxyno-zeta/react-editable-json-tree/security/advisories/GHSA-j3rv-w43q-f9x2 | MISC:https://github.com/oxyno-zeta/react-editable-json-tree/releases/tag/2.2.2 | URL:https://github.com/oxyno-zeta/react-editable-json-tree/releases/tag/2.2.2;Assigned (20220715);None (candidate not yet proposed) +CVE-2022-36032;Candidate;ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. This issue is fixed in ReactPHP HTTP version 1.7.0. As a workaround, Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers.;CONFIRM:https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8 | URL:https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8 | MISC:https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 | URL:https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 | MISC:https://github.com/reactphp/http/pull/175 | URL:https://github.com/reactphp/http/pull/175 | MISC:https://github.com/reactphp/http/releases/tag/v1.7.0 | URL:https://github.com/reactphp/http/releases/tag/v1.7.0;Assigned (20220715);None (candidate not yet proposed) +CVE-2022-36046;Candidate;Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests.;CONFIRM:https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3 | URL:https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3 | MISC:https://github.com/vercel/next.js/releases/tag/v12.2.4 | URL:https://github.com/vercel/next.js/releases/tag/v12.2.4;Assigned (20220715);None (candidate not yet proposed) +CVE-2022-36060;Candidate;matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.;MISC:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xr | URL:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xr;Assigned (20220715);None (candidate not yet proposed) +CVE-2022-39382;Candidate;"Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `""development""` for user code, irrespective of what your environment variables. If you do not use `NODE_ENV` in your user code to trigger security-sensitive functionality, you are not impacted by this vulnerability. Any dependencies that use `NODE_ENV` to trigger particular behaviors (optimizations, security or otherwise) should still respect your environment's configured `NODE_ENV` variable. The application's dependencies, as found in `node_modules` (including `@keystone-6/core`), are typically not compiled as part of this process, and thus should be unaffected. We have tested this assumption by verifying that `NODE_ENV=production yarn keystone start` still uses secure cookies when using `statelessSessions`. This vulnerability has been fixed in @keystone-6/core@3.0.2, regression tests have been added for this vulnerability in #8063.";CONFIRM:https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343 | URL:https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343 | MISC:https://github.com/keystonejs/keystone/pull/8031/ | URL:https://github.com/keystonejs/keystone/pull/8031/ | MISC:https://github.com/keystonejs/keystone/pull/8063 | URL:https://github.com/keystonejs/keystone/pull/8063;Assigned (20220902);None (candidate not yet proposed) +CVE-2022-40138;Candidate;An integer conversion error in Hermes bytecode generation, prior to commit 6aa825e480d48127b480b08d13adf70033237097, could have been used to perform Out-Of-Bounds operations and subsequently execute arbitrary code. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.;CONFIRM:https://github.com/facebook/hermes/commit/6aa825e480d48127b480b08d13adf70033237097 | URL:https://github.com/facebook/hermes/commit/6aa825e480d48127b480b08d13adf70033237097 | CONFIRM:https://www.facebook.com/security/advisories/CVE-2022-40138 | URL:https://www.facebook.com/security/advisories/CVE-2022-40138;Assigned (20220906);None (candidate not yet proposed) +CVE-2022-43285;Candidate;** DISPUTED ** Nginx NJS v0.7.4 was discovered to contain a segmentation violation in njs_promise_reaction_job. NOTE: the vendor disputes the significance of this report because NJS does not operate on untrusted input.;MISC:https://github.com/nginx/njs/issues/533;Assigned (20221017);None (candidate not yet proposed) +CVE-2022-45074;Candidate;Cross-Site Request Forgery (CSRF) vulnerability in Paramveer Singh for Arete IT Private Limited Activity Reactions For Buddypress plugin <= 1.0.22 versions.;MISC:https://patchstack.com/database/vulnerability/activity-reactions-for-buddypress/wordpress-activity-reactions-for-buddypress-plugin-1-0-22-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | URL:https://patchstack.com/database/vulnerability/activity-reactions-for-buddypress/wordpress-activity-reactions-for-buddypress-plugin-1-0-22-cross-site-request-forgery-csrf-vulnerability?_s_id=cve;Assigned (20221109);None (candidate not yet proposed) +CVE-2023-0365;Candidate;The React Webcam WordPress plugin through 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.;MISC:https://wpscan.com/vulnerability/d268d7a3-82fd-4444-bc0e-27c7cc279b5a | URL:https://wpscan.com/vulnerability/d268d7a3-82fd-4444-bc0e-27c7cc279b5a;Assigned (20230118);None (candidate not yet proposed) +CVE-2023-0481;Candidate;In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.;MISC:https://github.com/quarkusio/quarkus/pull/30694 | URL:https://github.com/quarkusio/quarkus/pull/30694;Assigned (20230124);None (candidate not yet proposed) +CVE-2023-21275;Candidate;In decideCancelProvisioningDialog of AdminIntegratedFlowPrepareActivity.java, there is a possible way to bypass factory reset protections due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.;MISC:https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/8277a2a946e617a7ea65056e4cedeb1fecf3a5f5 | URL:https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/8277a2a946e617a7ea65056e4cedeb1fecf3a5f5 | MISC:https://source.android.com/security/bulletin/2023-08-01 | URL:https://source.android.com/security/bulletin/2023-08-01;Assigned (20221103);None (candidate not yet proposed) +CVE-2023-22462;Candidate;"Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin ""Text"". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on ""Markdown"" or ""HTML"" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.";CONFIRM:https://security.netapp.com/advisory/ntap-20230413-0004/ | MISC:https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165 | URL:https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165 | MISC:https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf | URL:https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf | MISC:https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/ | URL:https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/;Assigned (20221229);None (candidate not yet proposed) +CVE-2023-22491;Candidate;Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. A patch has been introduced in `gatsby-transformer-remark@5.25.1` and `gatsby-transformer-remark@6.3.2` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.;MISC:https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw | URL:https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw;Assigned (20221229);None (candidate not yet proposed) +CVE-2023-23556;Candidate;An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. Note that this bug is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.;MISC:https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80 | URL:https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80 | MISC:https://www.facebook.com/security/advisories/cve-2023-23556 | URL:https://www.facebook.com/security/advisories/cve-2023-23556;Assigned (20230112);None (candidate not yet proposed) +CVE-2023-23557;Candidate;An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.;MISC:https://github.com/facebook/hermes/commit/a00d237346894c6067a594983be6634f4168c9ad | URL:https://github.com/facebook/hermes/commit/a00d237346894c6067a594983be6634f4168c9ad | MISC:https://www.facebook.com/security/advisories/cve-2023-23557 | URL:https://www.facebook.com/security/advisories/cve-2023-23557;Assigned (20230112);None (candidate not yet proposed) +CVE-2023-24832;Candidate;A null pointer dereference bug in Hermes prior to commit 5cae9f72975cf0e5a62b27fdd8b01f103e198708 could have been used by an attacker to crash an Hermes runtime where the EnableHermesInternal config option was set to true. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.;MISC:https://github.com/facebook/hermes/commit/5cae9f72975cf0e5a62b27fdd8b01f103e198708 | URL:https://github.com/facebook/hermes/commit/5cae9f72975cf0e5a62b27fdd8b01f103e198708 | MISC:https://www.facebook.com/security/advisories/cve-2023-24832 | URL:https://www.facebook.com/security/advisories/cve-2023-24832;Assigned (20230130);None (candidate not yet proposed) +CVE-2023-24833;Candidate;"A use-after-free in BigIntPrimitive addition in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by an attacker to leak raw data from Hermes VM’s heap. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.";MISC:https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80 | URL:https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80 | MISC:https://www.facebook.com/security/advisories/cve-2023-24833 | URL:https://www.facebook.com/security/advisories/cve-2023-24833;Assigned (20230130);None (candidate not yet proposed) +CVE-2023-25572;Candidate;react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `` are affected. `` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `` by a custom field doing sanitization by hand.;MISC:https://github.com/marmelab/react-admin/pull/8644 | URL:https://github.com/marmelab/react-admin/pull/8644 | MISC:https://github.com/marmelab/react-admin/pull/8645 | URL:https://github.com/marmelab/react-admin/pull/8645 | MISC:https://github.com/marmelab/react-admin/releases/tag/v3.19.12 | URL:https://github.com/marmelab/react-admin/releases/tag/v3.19.12 | MISC:https://github.com/marmelab/react-admin/releases/tag/v4.7.6 | URL:https://github.com/marmelab/react-admin/releases/tag/v4.7.6 | MISC:https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v | URL:https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v;Assigned (20230207);None (candidate not yet proposed) +CVE-2023-25933;Candidate;A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious attacker to execute arbitrary code via untrusted JavaScript. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.;MISC:https://github.com/facebook/hermes/commit/e6ed9c1a4b02dc219de1648f44cd808a56171b81 | URL:https://github.com/facebook/hermes/commit/e6ed9c1a4b02dc219de1648f44cd808a56171b81 | MISC:https://www.facebook.com/security/advisories/cve-2023-25933 | URL:https://www.facebook.com/security/advisories/cve-2023-25933;Assigned (20230216);None (candidate not yet proposed) +CVE-2023-26044;Candidate;react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.;MISC:https://github.com/reactphp/http/commit/9681f764b80c45ebfb5fe2ea7da5bd3babfcdcfd | URL:https://github.com/reactphp/http/commit/9681f764b80c45ebfb5fe2ea7da5bd3babfcdcfd | MISC:https://github.com/reactphp/http/security/advisories/GHSA-95x4-j7vc-h8mf | URL:https://github.com/reactphp/http/security/advisories/GHSA-95x4-j7vc-h8mf;Assigned (20230217);None (candidate not yet proposed) +CVE-2023-28081;Candidate;A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after-free and obtain arbitrary code execution via a carefully crafted payload. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.;MISC:https://github.com/facebook/hermes/commit/e6ed9c1a4b02dc219de1648f44cd808a56171b81 | URL:https://github.com/facebook/hermes/commit/e6ed9c1a4b02dc219de1648f44cd808a56171b81 | MISC:https://www.facebook.com/security/advisories/cve-2023-28081 | URL:https://www.facebook.com/security/advisories/cve-2023-28081;Assigned (20230310);None (candidate not yet proposed) +CVE-2023-28103;Candidate;matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue.;MISC:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-6g43-88cp-w5gv | URL:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-6g43-88cp-w5gv | MISC:https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0 | URL:https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0;Assigned (20230310);None (candidate not yet proposed) +CVE-2023-30470;Candidate;A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled for Hermes prior to commit da8990f737ebb9d9810633502f65ed462b819c09 could have been used by an attacker to achieve remote code execution. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.;MISC:https://github.com/facebook/hermes/commit/da8990f737ebb9d9810633502f65ed462b819c09 | URL:https://github.com/facebook/hermes/commit/da8990f737ebb9d9810633502f65ed462b819c09 | MISC:https://www.facebook.com/security/advisories/cve-2023-30470 | URL:https://www.facebook.com/security/advisories/cve-2023-30470;Assigned (20230411);None (candidate not yet proposed) +CVE-2023-30543;Candidate;@web3-react is a framework for building Ethereum Apps . In affected versions the `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId` could be incorrect. For example, if a swapping application derives a wrapped token contract address from the `chainId` *and* a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This issue has been addressed in PR #749 and is available in updated npm artifacts. There are no known workarounds for this issue. Users are advised to upgrade.;MISC:https://github.com/Uniswap/web3-react/pull/749 | URL:https://github.com/Uniswap/web3-react/pull/749 | MISC:https://github.com/Uniswap/web3-react/security/advisories/GHSA-8pf3-6fgr-3g3g | URL:https://github.com/Uniswap/web3-react/security/advisories/GHSA-8pf3-6fgr-3g3g;Assigned (20230412);None (candidate not yet proposed) +CVE-2023-30609;Candidate;matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.;MISC:https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826 | URL:https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826 | MISC:https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0 | URL:https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0 | MISC:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw | URL:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw;Assigned (20230413);None (candidate not yet proposed) +CVE-2023-30611;Candidate;Discourse-reactions is a plugin that allows user to add their reactions to the post in the Discourse messaging platform. In affected versions data about what reactions were performed on a post in a private topic could be leaked. This issue has been addressed in version 0.3. Users are advised to upgrade. Users unable to upgrade should disable the discourse-reactions plugin to fully mitigate the issue.;MISC:https://github.com/discourse/discourse-reactions/commit/01aca15b2774c088f3673118e92e9469f37d2fb6 | URL:https://github.com/discourse/discourse-reactions/commit/01aca15b2774c088f3673118e92e9469f37d2fb6 | MISC:https://github.com/discourse/discourse-reactions/security/advisories/GHSA-4cgc-c7vh-94g6 | URL:https://github.com/discourse/discourse-reactions/security/advisories/GHSA-4cgc-c7vh-94g6;Assigned (20230413);None (candidate not yet proposed) +CVE-2023-30708;Candidate;Improper authentication in SecSettings prior to SMR Sep-2023 Release 1 allows attacker to access Captive Portal Wi-Fi in Reactivation Lock status.;MISC:https://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=09 | URL:https://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=09;Assigned (20230414);None (candidate not yet proposed) +CVE-2023-31779;Candidate;"Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in ""Reaction to comment"" feature.";MISC:https://github.com/wekan/wekan/blob/master/CHANGELOG.md | MISC:https://github.com/wekan/wekan/commit/47ac33d6c234359c31d9b5eae49ed3e793907279;Assigned (20230429);None (candidate not yet proposed) +CVE-2023-32587;Candidate;Cross-Site Request Forgery (CSRF) vulnerability in WP Reactions, LLC WP Reactions Lite plugin <= 1.3.8 versions.;MISC:https://patchstack.com/database/vulnerability/wp-reactions-lite/wordpress-wp-reactions-lite-plugin-1-3-8-cross-site-request-forgery-csrf?_s_id=cve | URL:https://patchstack.com/database/vulnerability/wp-reactions-lite/wordpress-wp-reactions-lite-plugin-1-3-8-cross-site-request-forgery-csrf?_s_id=cve;Assigned (20230510);None (candidate not yet proposed) +CVE-2023-3294;Candidate;Cross-site Scripting (XSS) - DOM in GitHub repository saleor/react-storefront prior to c29aab226f07ca980cc19787dcef101e11b83ef7.;CONFIRM:https://huntr.dev/bounties/9d308ebb-4289-411f-ac22-990383d98932 | URL:https://huntr.dev/bounties/9d308ebb-4289-411f-ac22-990383d98932 | MISC:https://github.com/saleor/react-storefront/commit/c29aab226f07ca980cc19787dcef101e11b83ef7 | URL:https://github.com/saleor/react-storefront/commit/c29aab226f07ca980cc19787dcef101e11b83ef7;Assigned (20230616);None (candidate not yet proposed) +CVE-2023-34036;Candidate;"Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server. For the application to be affected, it needs to satisfy the following requirements: * It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses. * The application infrastructure does not guard against clients submitting (X-)Forwarded… headers.";MISC:https://spring.io/security/cve-2023-34036 | URL:https://spring.io/security/cve-2023-34036;Assigned (20230525);None (candidate not yet proposed) +CVE-2023-34054;Candidate;In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.;MISC:https://spring.io/security/cve-2023-34054 | URL:https://spring.io/security/cve-2023-34054;Assigned (20230525);None (candidate not yet proposed) +CVE-2023-34062;Candidate;In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.;MISC:https://spring.io/security/cve-2023-34062 | URL:https://spring.io/security/cve-2023-34062;Assigned (20230525);None (candidate not yet proposed) +CVE-2023-34091;Candidate;Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround.;MISC:https://github.com/kyverno/kyverno/releases/tag/v1.10.0 | URL:https://github.com/kyverno/kyverno/releases/tag/v1.10.0 | MISC:https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc | URL:https://github.com/kyverno/kyverno/security/advisories/GHSA-hq4m-4948-64cc;Assigned (20230525);None (candidate not yet proposed) +CVE-2023-34238;Candidate;Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.;MISC:https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c | URL:https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c | MISC:https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7 | URL:https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7 | MISC:https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc | URL:https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc;Assigned (20230531);None (candidate not yet proposed) +CVE-2023-34245;Candidate;@udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the `javascript:` scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. `@udecode/plate-link` 20.0.0 resolves this issue by introducing an `allowedSchemes` option to the link plugin, defaulting to `['http', 'https', 'mailto', 'tel']`. URLs using a scheme that isn't in this list will not be rendered to the DOM. Users are advised to upgrade. Users unable to upgrade are advised to override the `LinkElement` and `PlateFloatingLink` components with implementations that explicitly check the URL scheme before rendering any anchor elements.;MISC:https://github.com/udecode/plate/commit/93dd5712854660874900ae12e4d8e6ff28089eb7 | URL:https://github.com/udecode/plate/commit/93dd5712854660874900ae12e4d8e6ff28089eb7 | MISC:https://github.com/udecode/plate/security/advisories/GHSA-4882-hxpr-hrvm | URL:https://github.com/udecode/plate/security/advisories/GHSA-4882-hxpr-hrvm;Assigned (20230531);None (candidate not yet proposed) +CVE-2023-35676;Candidate;In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.;MISC:https://android.googlesource.com/platform/frameworks/base/+/109e58b62dc9fedcee93983678ef9d4931e72afa | URL:https://android.googlesource.com/platform/frameworks/base/+/109e58b62dc9fedcee93983678ef9d4931e72afa | MISC:https://source.android.com/security/bulletin/2023-09-01 | URL:https://source.android.com/security/bulletin/2023-09-01;Assigned (20230615);None (candidate not yet proposed) +CVE-2023-37259;Candidate;matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. This issue has been addressed in commit `22fcd34c60` which is included in release version 3.76.0. Users are advised to upgrade. The only known workaround for this issue is to disable or to not use the Export Chat feature.;MISC:https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8 | URL:https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8 | MISC:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65 | URL:https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65;Assigned (20230629);None (candidate not yet proposed) +CVE-2023-38871;Candidate;The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or email address is valid, or brute force valid usernames and email addresses.;MISC:https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38871 | MISC:https://github.com/gugoan/economizzer | MISC:https://www.economizzer.org;Assigned (20230725);None (candidate not yet proposed) +CVE-2023-40027;Candidate;"Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability.";MISC:https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284 | URL:https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284 | MISC:https://github.com/keystonejs/keystone/pull/8771 | URL:https://github.com/keystonejs/keystone/pull/8771 | MISC:https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c | URL:https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c;Assigned (20230808);None (candidate not yet proposed) +CVE-2023-41167;Candidate;@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads.;MISC:https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6 | MISC:https://webiny.com;Assigned (20230824);None (candidate not yet proposed) +CVE-2023-46134;Candidate;"D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off ""Custom Filter"" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.";MISC:https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668 | URL:https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668 | MISC:https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm | URL:https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm;Assigned (20231016);None (candidate not yet proposed) +CVE-2023-49098;Candidate;Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939.;MISC:https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc | URL:https://github.com/discourse/discourse-reactions/commit/2c26939395177730e492640d71aac68423be84fc | MISC:https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8 | URL:https://github.com/discourse/discourse-reactions/security/advisories/GHSA-mq82-7v5x-rhv8;Assigned (20231121);None (candidate not yet proposed) +CVE-2023-51843;Candidate;react-dashboard 1.4.0 is vulnerable to Cross Site Scripting (XSS) as httpOnly is not set.;MISC:https://github.com/flatlogic/react-dashboard | MISC:https://github.com/flatlogic/react-dashboard/issues/65 | MISC:https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51843.md;Assigned (20231226);None (candidate not yet proposed) +CVE-2023-5654;Candidate;"The React Developer Tools extension registers a message listener with window.addEventListener('message', ) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.";MISC:https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231 | URL:https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231;Assigned (20231019);None (candidate not yet proposed)