Node.js third-party modules: Server Side JavaScript Code Injection

I would like to report a Service Side JavaScript Code Injection in fastify. It allows an attacker that can control a single property name in the serialization schema to achieve Remote Command Execution in the context of the web server. Module module name: fastify version: 2.2.0 npm page:...

[SECURITY] Fedora 30 Update: nodejs-simple-markdown-0.4.4-1.fc30

simple-markdown is a markdown-like parser designed for simplicity and extensibility...

AZL-41949 CVE-2019-10906 affecting package nodejs for versions less than 20.14.0-1

In Pallets Jinja before 2.10.1, str.formatmap allows a sandbox escape...

SUSE-SU-2019:0818-1 Security update for nodejs6

This update for nodejs6 to version 6.17.0 fixes the following issues: Security issues fixed: - CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active bsc1127533. - CVE-2019-5737: Fixed a potentially attack vector which could lea...

Enhance Imperva Cloud WAF with a New Management Tool in the Imperva GitHub

Imperva recently launched the Imperva GitHub where our global community can access tools, code repositories and other neat resources that aid collaboration and streamline development. The nice thing about these tools is that you can clone them and customize them with whatever functionality you...

OPENSUSE-SU-2019:0089-1 Security update for nodejs8

This update for nodejs8 to version 8.15.0 fixes the following issues: Security issues fixed: - CVE-2018-12121: Fixed a Denial of Service with large HTTP headers bsc1117626 - CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service bsc1117627 - CVE-2018-12116: Fixed HTTP request splitting...

SMS-Stack - Framework to provided TPC/IP based characteristics to the GSM Short Message Service

Sms Stack is a Framework to provided TPC/IP based characteristics to the GSM Short Message Service. This framework works in multiple environments to provided a full stack integration in a service. The main layer features techniques to control the order and the number of sms for a given stream, an...

SUSE-SU-2019:0636-1 Security update for nodejs10

This update for nodejs10 to version 10.1.2 fixes the following issue: Security issue fixed: - CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active bsc1127532...

Node.js third-party modules: [listening-processes] Command Injection

I would like to report Command Injection in listening-processes It allows an attacker to execute arbitrary commands. Module module name: listening-processes version: 1.2.0 npm page: https://www.npmjs.com/package/listening-processes Module Description A simple NPM module for retrieving pertinent...

Node.js third-party modules: [md-fileserver] Path Traversal

I would like to report path traversal in md-fileserver modulee It allows an attacker to read system files via path traversal through commandline Module module name: md-fileserver version: 1.3.2 npm page: https://www.npmjs.com/package/md-fileserver Module Description Starts a local server to rende...

Node.js third-party modules: [typeorm] SQL Injection

I would like to report SQL Injection in typeorm. It allows reading data from database. Module module name: typeorm version: 0.2.14 npm page: https://www.npmjs.com/package/typeorm Module Description TypeORM is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native,...

Joyent Node.js Denial of Service Vulnerability (CNVD-2019-42554)

Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...

Jenkins NodeJS Plugin Remote Code Execution

A remote code execution vulnerability exists in Jenkins NodeJS plugin. Successful exploitation could allow an attacker to execute arbitrary code in the target machine...

Jenkins 2.150.2 - Remote Command Execution Exploit

Exploit for linux platform in category web applications This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Jenkins %q This module can run commands on the system using Jenkins...

Jenkins 2.150.2 - Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Jenkins %q This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges. The...

Photon OS 2.0: Nodejs PHSA-2018-2.0-0093

An update of the nodejs package has been released. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2018-2.0-0093. The text itself is copyright C VMware, Inc. include'compat.inc'; if description scriptid12199...

Htcap - A Web Application Scanner Able To Crawl Single Page Application (SPA) In A Recursive Manner By Intercepting Ajax Calls And DOM Changes

Htcap is a web application scanner able to crawl single page application SPA in a recursive manner by intercepting ajax calls and DOM changes. Htcap is not just another vulnerability scanner since it's focused on the crawling process and it's aimed to detect and intercept ajax/fetch calls,...

Denial Of Service (DoS)

nodejs-negotiator is vulnerable to denial of service. An attacker able to make an application using Negotiator to perform matching using a malicious glob pattern could cause the application to consume an excessive amount of CPU...

H8Mail - Email OSINT And Password Breach Hunting

Email OSINT and password finder. Use h8mail to find passwords through different breach and reconnaissance services, or the infamous "Breach Compilation" torrent. Features Email pattern matching reg exp, useful for all those raw HTML files Small and fast Alpine Dockerfile available CLI or Bulk...

Fedora 28 : nodejs-JSV / nodejs-uri-js (2018-373bbbd408)

Update to latest nodejs-uri-js for CVE fix Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...