![]() ![]() A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. ![]() Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`. Patches are available on RubyGems for all 1.x minor versions. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. ![]() If you render an `` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. ![]() There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Phlex is an open source framework for building object-oriented views in Ruby. Amazon AWS aws-js-s3-explorer (aka AWS JavaScript S3 Explorer) 1.0.0 allows XSS via a crafted S3 bucket name to index.html. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |