Researchers from RUB-NDS

2 exploits Active since May 2019
CVE-2018-12556 WRITEUP MEDIUM WRITEUP
yarnpkg/website <2018-06-05 - Code Injection
The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.
CVSS 5.9
CVE-2019-8338 WRITEUP MEDIUM WRITEUP
gpg-pgp < 1.0(9) - Improper Verification of Cryptographic Signature
The signature verification routine in the Airmail GPG-PGP Plugin, versions 1.0 (9) and earlier, does not verify the status of the signature at all, which allows remote attackers to spoof arbitrary email signatures by crafting a signed email with an invalid signature. Also, it does not verify the validity of the signing key, which allows remote attackers to spoof arbitrary email signatures by crafting a key with a fake user ID (email address) and injecting it into the user's keyring.
CVSS 5.9