CVE-2015-9241

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out default node timeout is 2...

Design/Logic Flaw

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions like origin, a higher level config that included security restrictions like origin would have those restrictions...

Sql injection

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape which could lead to SQL Injection...

CVE-2014-10068

The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when showHidden is false...

CVE-2015-9242

Certain input strings when passed to new Date or Date.parse in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header...

Design/Logic Flaw

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out default node timeout is 2...

Path traversal

crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path...

CVE-2015-9244

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape which could lead to SQL Injection...

Design/Logic Flaw

Certain input strings when passed to new Date or Date.parse in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header...

CVE-2015-9243

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions like origin, a higher level config that included security restrictions like origin would have those restrictions...

CVE-2015-9241

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out default node timeout is 2...

CVE-2018-3734

stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path...

CVE-2018-3744

The vulnerability CVE-2018-3744 affects the html-pages Node.js module, with versions prior to 2.1.0 susceptible to a directory/path traversal vulnerability that allows an attacker to read arbitrary files on the server (e.g., via crafted URLs or curl requests). Public reports and advisories (GHSA-...

CVE-2015-9242

Certain input strings when passed to new Date or Date.parse in ecstatic node module before 1.4.0 will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header...

CVE-2015-9244

CVE-2015-9244 affects the mysql node module v2.0.0-alpha7 and earlier. The issue is that keys of objects are not escaped by mysql.escape(), which could enable SQL injection. Public references (OSV entries and GHSA advisories) indicate the fix is to update to 2.0.0-alpha8 or later. Exploitation de...

CVE-2015-9235

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key RS/ES family of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm HS family...

CVE-2015-9240

CVE-2015-9240 affects the keystone node module prior to 0.3.16. The vulnerability is a partial authentication bypass in the default sign-in flow: if an attacker provides a full and correct password but only a partial email address, authentication can be granted. Affected component is the keystone...

CVE-2018-3733

The vulnerability CVE-2018-3733 affects the NodeJS package crud-file-server (prior to version 0.9.0). It stems from incorrect validation/sanitation of URLs, enabling a path traversal that lets an attacker read files outside the served directory. Impact is read access to arbitrary files with known...

CVE-2015-9244

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape which could lead to SQL Injection...

CVE-2015-9243

CVE-2015-9243 affects the hapi Node.js framework prior to version 11.1.4, where merging server/connection/route-level CORS configurations could cause security restrictions (e.g., origin) to be overridden by less restrictive defaults (origin → *). This confluence creates weaker CORS controls than ...