Arbitrary Command Injection

Overview psnode is an A Node.js KISS module to list and kill process on OSX and Windows. Affected versions of this package are vulnerable to Arbitrary Command Injection. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands...

RHEL 8 : RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, (Moderate) (RHSA-2021:1169)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1169 advisory. The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as...

nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS

bootstrap-select before 1.13.6 allows Cross-Site Scripting XSS. It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser...

Moderate: Red Hat Security Advisory: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] 0-day security, bug fix, enhance

An update for org.ovirt.engine-root, ovirt-engine-ui-extensions, and ovirt-web-ui is now available for Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a...

CVE-2021-23280

Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s mapssrv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a speciall...

Privilege escalation

Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s mapssrv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a speciall...

CVE-2021-23280 Arbitrary File upload

Eaton Intelligent Power Manager IPM prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s mapssrv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a speciall...

GHSA-45W5-PVR8-4RH5 Command injection in eslint-fixer

The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub repository has been intentionally deleted...

Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.2.2 security and bug fix update

Red Hat Advanced Cluster Management for Kubernetes 2.2.2 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a...

CVE-2021-23369

A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system e.g. browser or server when the template is compiled with the...

OESA-2021-1099 c-ares security update

This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple. Security Fixes: A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Deni...

Critical Photon OS Security Update - PHSA-2021-0007

Updates of 'linux-aws', 'containerd', 'linux-secure', 'glib', 'libtiff', 'linux-rt', 'curl', 'linux', 'libvirt', 'openssl', 'mysql', 'wpasupplicant', 'apache-tomcat', 'python3', 'nodejs', 'docker' packages of Photon OS have been released...

Monospace Directus Headless CMS File Upload / Rule Bypass

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Arbitrary File Upload and Bypassing .htaccess Rules product: Monospace Directus Headless CMS vulnerable version: v8.8.2 fixed version: v8.8.2, v9 is not affected because ...

Photon OS 4.0: Nodejs PHSA-2021-4.0-0007

An update of the nodejs package has been released. C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2021-4.0-0007. The text itself is copyright C VMware, Inc. include'compat.inc'; if description scriptid148351;...

GHSA-MMHJ-4W6J-76H7 Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate

Versions of isolated-vm before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an...

The vulnerability of the Node.js software platform, related to the presence of localhost6 in the white list, allows a perpetrator to access confidential data, compromise its integrity, and cause service failures.

The vulnerability of the Node.js software platform is related to the presence of localhost6 in the white list. Exploiting this vulnerability allows a remote attacker to access confidential data, compromise its integrity, and cause service failures...

Critical Photon OS Security Update - PHSA-2021-4.0-0007

Updates of 'linux-aws', 'nodejs', 'glib', 'libvirt', 'docker', 'linux', 'containerd', 'apache-tomcat', 'wpasupplicant', 'curl', 'openssl', 'mysql', 'python3', 'linux-rt', 'linux-secure', 'libtiff' packages of Photon OS have been released...

MGASA-2021-0170 Updated nodejs-yargs-parser packages fix security vulnerability

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload CVE-2020-7608...

Updated nodejs-chownr packages fix security vulnerability

Updated nodejs-chownr package fixes security vulnerability: A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks CVE-2017-18869...

Updated nodejs-yargs-parser packages fix security vulnerability

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload CVE-2020-7608...