PT-2021-6779 · Node.Js +7 · Node.Js +7

Name of the Vulnerable Software and Affected Versions: Node.js affected versions not specified Description: The issue is related to insufficient validation of the rejectUnauthorized value in the Node.js https API. If the rejectUnauthorized parameter is set to undefined, no error is returned, and...

is-email 资源管理错误漏洞

is-email is an application used to validate email addresses. Segment is-email is vulnerable due to a ReDoS regular expression denial of service flaw discovered in Node.js prior to Segment is-email package 1.0.1. An attacker could exploit this flaw to cause the application to consume excessive CPU...

nodejs 缓冲区错误漏洞

nodejs is a JavaScript runtime environment based on the ChromeV8 engine by wrapping the Chromev8 engine and the use of event-driven and non-blocking IO applications to make the development of high-performance Javascript background applications possible. A buffer error vulnerability exists in...

CVE-2021-33205

Western Digital EdgeRover before 0.25 has an escalation of privileges vulnerability where a low privileged user could load malicious content into directories with higher privileges, because of how Node.js is used. An attacker can gain admin privileges and carry out malicious activities such as...

DEBIAN-CVE-2021-33587

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input...

CVE-2021-32573

The express-cart package through 1.1.10 for Node.js allows Reflected XSS for an admin via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website...

express-cart 跨站脚本漏洞

express-cart is a shopping cart module for use in Node.js. A cross-site scripting vulnerability exists in express-cart version 1.1.10. An attacker can exploit this vulnerability to obtain sensitive information...

The vulnerability of the Node.js software platform, related to a bug in the resource consumption monitoring mechanism, allows a hacker to trigger a service failure.

The vulnerability of the Node.js software platform is related to the improper handling of a large number of requests sent to the unknownProtocol. Exploiting this vulnerability allows an attacker who operates remotely to cause service failures...

nodejs: DNS rebinding in --inspect

A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its response...

Arbitrary Command Injection

Overview ffmpegdotjs is a FFMPEG module for nodejs Affected versions of this package are vulnerable to Arbitrary Command Injection. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the...

c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

nodejs: use-after-free in the TLS implementation

A flaw was found in nodejs. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResu...

DEBIAN-CVE-2020-8277

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

Vulnerability of the Cluster component: The JS module (Node.js) of the Oracle MySQL Cluster database management system, which allows a hacker to execute arbitrary code.

Vulnerability of the Cluster component: The JS module Node.js of the Oracle MySQL Cluster database management system is vulnerable due to the execution of operations outside the buffer in memory. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code...

The vulnerability of the eval function in the nodeJS framework, which allows for arbitrary code execution due to insufficient validation of input data, can be exploited by attackers.

The vulnerability of the eval function in the nodeJS environment exists due to insufficient validation of input data. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

DEBIAN-CVE-2020-8201

Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...

nodejs: TLS session reuse can lead to hostname verification bypass

A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions...

keycloak: verify-token-audience support is missing in the NodeJS adapter

A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions...

bcrypt encryption problem vulnerability

bcrypt is a library used in Node.js for encrypting passwords. An encryption issue vulnerability exists in versions of bcrypt prior to 5.0.0. The vulnerability stems from a networked system or product that does not properly use the relevant cryptographic algorithm, resulting in content that is not...

Confinit Input Validation Error Vulnerability

confinit is an application configuration package for Node.Js. Confinit is vulnerable to an input validation error. The vulnerability stems from a network system or product that does not properly validate input data. Detailed vulnerability details are not available at this time...