190 matches found
CVE-2020-36049
socket.io-parser before 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used...
CVE-2020-36049
socket.io-parser before 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used...
Socketio Engineio Resource Management Error Vulnerability
Socketio Engineio is a Javascript-based real-time engine for bi-directional communication between browsers and devices from the Socketio community. A security vulnerability exists in socketio socket.io-parser before 3.4.1, which can be exploited by attackers to cause a denial of service memory...
7ghost (>=4.11.25 <=4.11.46), @abcpros/bitcore-build (>=8.25.29 <=8.25.30) +1114 more potentially affected by CVE-2020-28481 via socket.io (>=2.0.1 <=2.3.0)
socket.io NPM version =2.0.1, =4.11.25, =8.25.29, =1.0.0, =0.0.4, =1.0.9, =1.1.13, =0.2.9, =2018.7.11-0, =0.1.14, =0.0.1, =0.0.1, =1.0.0-alpha.18, =1.0.0-feature-e945fc-k9e8d9l7 and more Source cves: CVE-2020-28481 Source advisory: SNYK:JS-SOCKETIO-1024859...
NodeBB Forum 1.14.2 Account Takeover
Exploit Title: NodeBB Forum 1.12.2-1.14.2 - Account Takeover Date: 2020-08-18 Exploit Author: Muhammed Eren Uygun Vendor Homepage: https://nodebb.org/ Software Link: https://github.com/NodeBB/NodeBB Version: 1.12.2-1.14.2 Tested on: Linux CVE : CVE-2020-15149 -...
NodeBB Forum 1.12.2-1.14.2 - Account Takeover
Exploit Title: NodeBB Forum 1.12.2-1.14.2 - Account Takeover Date: 2020-08-18 Exploit Author: Muhammed Eren Uygun Vendor Homepage: https://nodebb.org/ Software Link: https://github.com/NodeBB/NodeBB Version: 1.12.2-1.14.2 Tested on: Linux CVE : CVE-2020-15149 -...
CVE-2020-24807: Preventing critical Socket.IO vulnerability
This year is full of extraordinary events and cybersecurity domains are not an exception. Massive WebSocket vulnerabilities are not so often discovered, we can say they are piece. But here is a new one, named CVE-2020-24807 was mentioned in a Socket.io advisory 6 days ago:...
CVE-2020-24807
The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported...
Input validation
The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported...
CVE-2020-24807
The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported...
CVE-2020-24807
The CVE-2020-24807 issue affects the Node.js package socket.io-file up to version 2.0.31. The vulnerability stems from relying on client-side validation of file types, enabling an attacker to upload an executable file by modifying the name field in JSON, potentially leading to arbitrary code exec...
File restriction bypass in socket.io-file
All versions of socket.io-fileare vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types. No fix is currently...
@best/agent-hub (>=7.0.1 <=17.0.0), best (>=7.0.1 <=17.0.0) potentially affected by CVE-2020-24807 via socket.io-file (=2.0.31)
socket.io-file NPM version =2.0.31 is affected by a known vulnerability. The following packages have a transitive dependency on socket.io-file and may be impacted: - @best/agent-hub =7.0.1, =7.0.1, =17.0.0 Source cves: CVE-2020-24807 Source advisory: OSV:GHSA-6495-8JVH-F28X...
File restriction bypass in socket.io-file
Overview All versions of socket.io-fileare vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types. Recommendation No...
PT-2020-15839 · Node.Js · Socket.Io-File
Name of the Vulnerable Software and Affected Versions: socket.io-file versions through 2.0.31 Description: The socket.io-file package for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified...
CVE-2020-15149
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an...
Design/Logic Flaw
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an...
CVE-2020-15149 Account takeover in NodeBB
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an...
Socket.io-file 2.0.31 Arbitrary File Upload
Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload Date: 2020-07-02 Exploit Author: Cr0wTom Vendor Homepage: https://www.npmjs.com/package/socket.io-file Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31 Version: = v2.0.31 Tested on: node v10.19.0, Socket.io-file...
Socket.io-file 2.0.31 - Arbitrary File Upload Exploit
Exploit for multiple platform in category web applications...