CVE-2021-3666

body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution'...

CVE-2021-3666

body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution'...

CVE-2021-3666 Prototype Pollution in fiznool/body-parser-xml

body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution'...

CVE-2021-3666

CVE-2021-3666 : Vulnerability in body-parser-xml (prototype pollution via Improperly Controlled Modification of Object Prototype Attributes). Multiple connected sources confirm this CVE; CVSS details (3.1) show a NETWORK attack vector, no privileges required, no user interaction, and high impact ...

@iamkenos/fragile (>=0.1.1 <=0.1.5) potentially affected by CVE-2021-3666 via body-parser-xml (=2.0.1)

body-parser-xml NPM version =2.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on body-parser-xml and may be impacted: - @iamkenos/fragile =0.1.1, =0.1.5 Source cves: CVE-2021-3666 Source advisory: SNYK:JS-BODYPARSERXML-1584211...

Prototype Pollution

Overview body-parser-xml is a XML parser middleware for express.js. Affected versions of this package are vulnerable to Prototype Pollution. The prototype of req.body can be polluted. PoC const express = require'express'; const bodyParser = require'body-parser'; require'body-parser-xml'bodyParser...

GHSA-JQFH-8HW5-FQJR Improper Handling of Exceptional Conditions in detect-character-encoding

Impact In detect-character-encoding v0.6.0 and earlier, data matching no charset causes the Node.js process to crash. Patches The problem has been patched in detect-character-encoding v0.7.0. CVSS score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C Base Score: 7.5 High Temporal Score: 7....

Prototype Pollution

body-parser-xml is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into existing construct prototypes and modify attributes such as proto, constructor and prototype in the index.js...

Out-of-bounds

The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service out-of-bounds read and application crash via a crafted packet...

CVE-2017-9359

CVE-2017-9359 affects the PJProject/PJSIP multi-part body parser used by Asterisk Open Source (13.x prior to 13.15.1; 14.x prior to 14.4.1) and Certified Asterisk (and other products). The vulnerability arises in the body parser handling crafted packets, allowing remote attackers to cause a denia...

Asterisk Multiple DoS Vulnerabilities (May 2017)

Asterisk is prone to multiple denial of service DoS vulnerabilities. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

FreeBSD : asterisk -- Buffer Overrun in PJSIP transaction layer (0537afa3-3ce0-11e7-bf9d-001999f8d30b)

The Asterisk project reports : A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By...

asterisk -- Buffer Overrun in PJSIP transaction layer

The Asterisk project reports: A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By...

V8 Memory Corruption and Stack Overflow (fixed in Node v0.8.28 and v0.10.30)

V8 Memory Corruption and Stack Overflow fixed in Node v0.8.28 and v0.10.30 A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may...