Lucene search
K

56 matches found

Prion
Prion
added 2019/03/21 4:1 p.m.12 views

Design/Logic Flaw

If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port 1.3.2...

9.3CVSS7.9AI score0.01887EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2019/03/17 7:42 p.m.21 views

CVE-2019-5414

If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port 1.3.2...

8AI score0.01887EPSS
Exploits1References1
Hacker One
Hacker One
added 2019/03/14 3:6 p.m.17 views

Node.js third-party modules: [md-fileserver] Path Traversal

I would like to report path traversal in md-fileserver modulee It allows an attacker to read system files via path traversal through commandline Module module name: md-fileserver version: 1.3.2 npm page: https://www.npmjs.com/package/md-fileserver Module Description Starts a local server to rende...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/03/12 1:44 p.m.32 views

Node.js third-party modules: XSS in Bootbox

Hi. Sorry for taking the time with this report. This is already publicly disclosed issue at -https://github.com/makeusabrew/bootbox/issues/661 In essence all dialogs of bootbox vulnurable to XSS injections bootbox.alert"\alert1;"; This is apparently a feature to allow injecting HTML in messages...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2019/03/12 10:40 a.m.22 views

Node.js third-party modules: [increments] sql injection

I would like to report SQL Injection in increments. It allows creating fake polls. Module module name: increments version: 1.2.1 npm page: https://www.npmjs.com/package/increments Module Description Increment is a database-driven for creating polls and taking votes for various options, candidates...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2019/03/10 4:49 a.m.15 views

Node.js third-party modules: [deliver-or-else] Path Traversal

I would like to report path traversal in deliver-or-else module It allows an attacker to read system files via path traversal through commandline Module module name: deliver-or-else version: 1.0.0 npm page: https://www.npmjs.com/package/deliver-or-else Module Description Copy description from npm...

0.2AI score
Exploits0
Veracode
Veracode
added 2019/02/26 5:52 a.m.9 views

Remote Code Execution (RCE)

kill-port is vulnerable to remote code execution. An attacker is able to inject and execute arbitrary OS commands due to the usage of exec in a third-party module...

8AI score
Exploits0
Hacker One
Hacker One
added 2018/12/16 7:46 a.m.54 views

Node.js third-party modules: [webpack-bundle-analyzer] Cross-site Scripting

I would like to report Cross-site Scripting in webpack-bundle-analyzer. It allows injecting and executing arbitray JavaScript code. Module module name: webpack-bundle-analyzer version: 3.0.3 npm page: https://www.npmjs.com/package/webpack-bundle-analyzer Module Description Visualize size of webpa...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/12/03 3:53 p.m.79 views

Node.js third-party modules: Prototype pollution attack through jQuery $.extend

I would like to report prototype pollution in jQuery. It allows an attacker to inject properties on Object.prototype. Module module name: jquery version: 3.3.1 npm page: https://www.npmjs.com/package/jquery Module Description jQuery is a fast, small, and feature-rich JavaScript library. Module...

4.3CVSS1.1AI score0.87218EPSS
Exploits4
Hacker One
Hacker One
added 2018/09/01 3:35 a.m.34 views

Node.js third-party modules: List any file in the folder by using path traversal

I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: v0.2.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python'...

5CVSS0.8AI score0.01295EPSS
Exploits0
Prion
Prion
added 2018/07/03 9:29 p.m.14 views

Sql injection

Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database...

6.5CVSS8.9AI score0.01202EPSS
Exploits1References1Affected Software1
Hacker One
Hacker One
added 2018/04/22 10:32 p.m.14 views

Node.js third-party modules: [entitlements] Command injection on the 'path' parameter

Hello again, another command injection, this time on the entitlements module. Module module name: entitlements version: 1.2.0 npm page: https://www.npmjs.com/package/entitlements Module Description check the entitlements of a .app bundle Module Stats 26 downloads in the last day 328 downloads in...

0.6AI score
Exploits0
Hacker One
Hacker One
added 2018/03/04 1:20 a.m.14 views

Node.js third-party modules: `njwt` allocates uninitialized Buffers when number is passed in base64urlEncode input

I would like to report an uninitialized Buffer allocation issue in njwt. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON. Module module name: njwt version: 0.4.0 npm page:...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2018/03/04 1:5 a.m.30 views

Node.js third-party modules: `put` allocates uninitialized Buffers when non-round numbers are passed in input

I would like to report an uninitialized Buffer allocation issue in put. It allows to extract sensitive data from uninitialized memory by passing in non-round numbers, in setups where typed user input can be passed e.g. from JSON. Module module name: put version: 0.0.6 npm page:...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/03/03 11:51 p.m.15 views

Node.js third-party modules: `base64-url` below 2.0 allocates uninitialized Buffers when number is passed in input

I would like to report an uninitialized Buffer allocation issue in base64-url. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed e.g. from JSON. Module module name: base64-url version: 1.3.3...

1AI score
Exploits0
Hacker One
Hacker One
added 2018/02/28 3:13 a.m.30 views

Node.js third-party modules: `foreman` is vulnerable to ReDoS in path

I would like to report ReDoS in foreman. It allows to cause denial of service by suppling a crafted path. Module module name: foreman version: 2.0.0 npm page: https://www.npmjs.com/package/foreman Module Description Node Foreman is a Node.js version of the popular Foreman tool, with a few Node...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/02/25 5:59 p.m.84 views

Node.js third-party modules: `protobufjs` is vulnerable to ReDoS when parsing crafted invalid *.proto files

I would like to report a ReDoS in protobufjs It allows to cause Denial of Service by trying to parse or load a crafted .proto file. Module module name: protobufjs version: 6.8.5 npm page: https://www.npmjs.com/package/MODULE NAME Module Description Protocol Buffers are a language-neutral,...

4.3CVSS1.2AI score0.00958EPSS
Exploits1
Hacker One
Hacker One
added 2018/02/25 4:6 a.m.15 views

Node.js third-party modules: typeorm does not properly escape parameters when building SQL queries, resulting in potential SQLi

I would like to report an SQLi in typeorm. It allows to insert potentially user-controlled content into the queries without proper escaping, in cases where that is not verified additionally in the applications that are using typeorm library. Module module name: typeorm version: 0.1.12 npm page:...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2018/02/11 9:24 p.m.19 views

Node.js third-party modules: Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities

There is at least a DoS vulnerability in canvas. It segfaults node.js which leads to a Denial of Service, but according to !exploitable it could possibly be worse Module canvas node-canvas is a Cairo backed Canvas implementation for NodeJS. https://www.npmjs.com/package/canvas version: 1.6.9 Stat...

6.8CVSS1.7AI score0.02323EPSS
Exploits0
Hacker One
Hacker One
added 2018/02/06 2:8 p.m.73 views

Node.js third-party modules: [localhost-now] Path Traversal allows to read content of arbitrary file

Hi Guys, There is Path Traversal in localhost-now module. It allows to read content of arbitrary files on the remote server. Module localhost-now This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

5CVSS7.6AI score0.02021EPSS
Exploits1
Rows per page
Query Builder