CVE-2016-10578

unicode loads unicode data downloaded from unicode.org into nodejs. Unicode before 9.0.0 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks...

CVE-2016-10556

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This...

CVE-2016-10593

Issue : ibapi (NodeJS addon) downloads binary resources over HTTP, enabling MITM-based code execution. Root cause : unencrypted binary fetch allows an attacker on the network path to swap binaries. Impact : remote code execution in affected environments prior to version 2.5.6 (as stated in CVE-20...

Fedora Update for nodejs-deep-extend FEDORA-2018-636f73964f

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 28 Update: nodejs-deep-extend-0.5.1-1.fc28

Recursive object extending...

The Empire Multiuser GUI: Empire GUI

The Empire Multiuser GUI is a graphical interface to the Empire post-exploitation Framework. It was written in Electron and utilizes websockets SocketIO on the backend to support multiuser interaction. The main goal of this project is to enable red teams, or any other color team, to work together...

DEBIAN-CVE-2018-7158

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service ReDoS vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, splitPathRe, used within the...

UBUNTU-CVE-2018-7160

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the...

SUSE-SU-2018:1183-1 Security update for nodejs6

This update for nodejs6 fixes the following issues: - Fix some node-gyp permissions - New upstream LTS release 6.14.1: Security fixes: + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability bsc1087463 + CVE-2018-7158: Fix for 'path' module regular expression denial of service bsc1087459 +...

Node.js third-party modules: Stored XSS in Node-Red

I would like to report a stored XSS in node-red It allows to execute javascript in the user's browser Module module name: node-red version: v0.18.4 npm page: https://www.npmjs.com/package/node-red Module Description A visual tool for wiring the Internet of Things. Module Stats 1,758 downloads in...

Node.js third-party modules: [entitlements] Command injection on the 'path' parameter

Hello again, another command injection, this time on the entitlements module. Module module name: entitlements version: 1.2.0 npm page: https://www.npmjs.com/package/entitlements Module Description check the entitlements of a .app bundle Module Stats 26 downloads in the last day 328 downloads in...

CVE-2018-1109

A vulnerability was found in nodejs-braces. Affected versions of this package are vulnerable to Regular expression Denial of Service ReDoS attacks. The highest threat from this vulnerability is system availability...

Node.js third-party modules: Command injection in 'pdf-image'

I would like to report command injection in pdf-image It allows executing commands on the server Module module name: pdf-image version: 1.0.5 npm page: https://www.npmjs.com/package/pdf-image Module Description Provides an interface to convert PDF's pages to png files in Node.js by using...

SUSE-SU-2018:0952-1 Security update for nodejs4

This update for nodejs4 fixes the following issues: - Fix some node-gyp permissions - New upstream maintenance 4.9.1: Security fixes: + CVE-2018-7158: Fix for 'path' module regular expression denial of service bsc1087459 + CVE-2018-7159: Reject spaces in HTTP Content-Length header values bsc10874...

Node.js: Out of order TLS handshake / application data messages lead to segmentation fault

Summary: IMPORTANT NOTE: I have already been working with the NodeJS core security team on this issue and have provided core files, POC and many other pieces of information. I was told by James Snell to report via Hackerone to make it official however all the relevant details on this issue have...

Fedora 26 : 1:nodejs (2018-e672eaf4df)

https://nodejs.org/en/blog/release/v8.11.0/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...

Fedora Update for nodejs FEDORA-2018-e672eaf4df

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 27 : 1:libuv / 1:nodejs (2018-ecf73042e3)

https://nodejs.org/en/blog/release/v8.11.0/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...

Fedora Update for nodejs FEDORA-2018-ecf73042e3

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Node.js third-party modules: [pdfinfojs] Command Injection on filename parameter

Hello , there is a Command Injection vulnerability on the "pdfinfojs" module. Module module name: pdfinfojs version: 0.3.6 npm page: https://www.npmjs.com/package/pdfinfojs Module Description pdfinfo shell wrapper for Node.js Module Stats 10 downloads in the last day 61 downloads in the last week...