In TypeStack class-validator, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk …
[@asyncapi/modelina] Improper Control of Generation of Code (‘Code Injection’) in @asyncapi/modelina
Impact
Anyone who is using the default presets and/or does not handle the functionality themself.
Patches
It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only acc…
[omniauth_amazon] Backdoor / Malicious code
The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
Users of an affected version should consider downgrading to the last non-affected version of 1.6.9, or upg…
[rest-client] rest-client vulnerable to Session Fixation
REST client for Ruby (aka rest-client) versions 1.6.1.a until 1.8.0 allow remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.
References
https://…