Snyk Vulnerability Database

The leading database for open source vulnerabilities and cloud misconfigurations.

Embedded Malicious Code

Affecting @lottiefiles/lottie-player package, versions >=2.0.5 <2.0.8

How to fix?

Avoid using all malicious instances of the @lottiefiles/lottie-player package.

Vulnerabilities from the last week

safeness-sb is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

Cleartext Storage of Sensitive Information

Affects

zhmcclient [,1.18.1)

zhmcclient is an A pure Python client library for the IBM Z HMC Web Services API

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the logging of sensitive information in clear text. An attacker with access to the logs can obtain sensitive data by exploiting this vulnerability.

Note:

This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above.

Cross-site Scripting (XSS)

Affects

org.webjars.npm:vue-i18n [0,]

org.webjars.npm:vue-i18n is an Internationalization plugin for Vue.js

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when using locale message ASTs in development mode or with custom configurations due to improper user input sanitization.

Recent vulnerabilities disclosed by Snyk

- H
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit (npm)
Discovered by Rongchen Li
18 Nov 2024
- M
Arbitrary Code Execution in dom-iterator (npm)
Discovered by NodeMedic-FINE
12 Nov 2024
- H
Directory Traversal in source-map-support (npm)
Discovered by Miguel Coimbra
12 Nov 2024
- M
Cross-site Scripting (XSS) in tarteaucitronjs (npm)
Discovered by Pierre Rudloff
11 Nov 2024
- H
Regular Expression Denial of Service (ReDoS) in cross-spawn (npm)
Discovered by Rongchen Li
7 Nov 2024

We’ve disclosed
3369
vulnerabilities

by Snyk Security
Researchers

See all Snyk disclosed vulnerabilities

Report a new vulnerability

About Snyk

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.