Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ses's global contour bindings leak into Compartment lexical scope
Vulnerability Description
SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used `const`, `let`, and `class` bindings in the top-level scope of a `<script>` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level `let`, `const`, or `class` bindings in `<script>` tags, or change these to `var` bindings to be reflected on `globalThis`.
CVSS Information
N/A
Vulnerability Type
将系统数据暴露到未授权控制的范围
Vulnerability Title
npm SES 安全漏洞
Vulnerability Description
npm SES是美国npm公司的一个库。 npm SES 1.12.0之前版本存在安全漏洞,该漏洞源于第三方代码可能访问顶层绑定。
CVSS Information
N/A
Vulnerability Type
N/A