{"vulnerability": "cve-2023-2614", "sightings": [{"uuid": "69e397fd-2679-4e72-a8ce-1c148b539905", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26147", "type": "seen", "source": "https://t.me/cibsecurity/71261", "content": "\u203c CVE-2023-26147 \u203c\n\nAll versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \\r\\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-29T12:37:39.000000Z"}, {"uuid": "10f51502-60e0-4125-b44e-4497658e365e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26146", "type": "seen", "source": "https://t.me/cibsecurity/71271", "content": "\u203c CVE-2023-26146 \u203c\n\nAll versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-29T12:42:31.000000Z"}, {"uuid": "7c7bc6d5-eb24-4a55-bd61-af5680746a1f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26148", "type": "seen", "source": "https://t.me/cibsecurity/71266", "content": "\u203c CVE-2023-26148 \u203c\n\nAll versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \\r\\n (carriage return line feeds) characters and inject additional headers in the request sent.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-29T12:37:45.000000Z"}, {"uuid": "abaeb173-a793-45ac-97d9-bbc0c34f2cc6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26149", "type": "seen", "source": "https://t.me/cibsecurity/71184", "content": "\u203c CVE-2023-26149 \u203c\n\nVersions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function. **Note:**If the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-28T12:49:43.000000Z"}, {"uuid": "3af31aa5-447c-4ec1-9c77-bab6f8091e50", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26145", "type": "seen", "source": "https://t.me/cibsecurity/71182", "content": "\u203c CVE-2023-26145 \u203c\n\nThis affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects.**Note:**The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied:1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-28T12:49:41.000000Z"}, {"uuid": "6ff2193e-722a-4c6b-8611-4ca398434611", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26144", "type": "seen", "source": "https://t.me/cibsecurity/70785", "content": "\u203c CVE-2023-26144 \u203c\n\nVersions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.**Note:** It was not proven that this vulnerability can crash the process.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-20T12:30:12.000000Z"}, {"uuid": "3bb719db-fb6e-42ac-b53f-2dd9525080d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26141", "type": "seen", "source": "https://t.me/cibsecurity/70430", "content": "\u203c CVE-2023-26141 \u203c\n\nVersions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-14T12:24:20.000000Z"}, {"uuid": "507e4b51-e489-4112-9166-3e9e59c0a3a8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26142", "type": "seen", "source": "https://t.me/cibsecurity/70249", "content": "\u203c CVE-2023-26142 \u203c\n\nAll versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \\r\\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-12T12:22:48.000000Z"}, {"uuid": "a193a026-6c2f-4682-a3bd-cdabd0fca718", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26140", "type": "seen", "source": "https://t.me/cibsecurity/68617", "content": "\u203c CVE-2023-26140 \u203c\n\nVersions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-16T12:46:37.000000Z"}, {"uuid": "61fa1fec-17e2-4998-b7d2-fbd0fe3bbd0d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26140", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/10243", "content": "#Threat_Research\n1. Back to the (Clip)board with MS Whiteboard and Meta Excalidraw (CVE-2023-26140)\nhttps://spaceraccoon.dev/clipboard-microsoft-whiteboard-excalidraw-meta\n2. Google Issue Tracker leak\nhttps://ndevtk.github.io/writeups/2024/02/03/buganizer", "creation_timestamp": "2024-03-30T19:48:50.000000Z"}]}