Lucene search
K

81 matches found

Github Security Blog
Github Security Blog
added 2020/09/02 3:47 p.m.29 views

Cross-Site Scripting in semantic-ui-search

All versions of semantic-ui-search are vulnerable to Cross-Site Scripting. Lack of output encoding on the selection dropdowns can lead to user input being executed instead of printed as text. Recommendation No fix is currently available. Consider using an alternative module until a fix is made...

4.3AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2020/09/02 3:43 p.m.28 views

Remote Code Execution in pomelo-monitor

All versions of pomelo-monitor are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution. Recommendation No fix is currently available. Consider using an...

6.9AI score
Exploits0References2Affected Software1
OSV
OSV
added 2020/09/02 3:42 p.m.15 views

GHSA-44VF-8FFM-V2QH Sensitive Data Exposure in rails-session-decoder

All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. Recommendation No fix is currently available. Consider using an alternative module until a fix...

7.3AI score
Exploits0References1
OSV
OSV
added 2020/09/01 9:26 p.m.13 views

GHSA-X6M6-5HRF-FH6R Denial of Service in markdown-it-toc-and-anchor

All versions of markdown-it-toc-and-anchor are vulnerable to Denial of Service. Parsing markdown containing text+\n@toc causes the application to enter and infinite loop. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

7.5CVSS7AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2020/09/01 9:26 p.m.51 views

Denial of Service in markdown-it-toc-and-anchor

All versions of markdown-it-toc-and-anchor are vulnerable to Denial of Service. Parsing markdown containing text+\n@toc causes the application to enter and infinite loop. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

4.5AI score
Exploits0References4Affected Software1
OSV
OSV
added 2020/09/01 3:57 p.m.11 views

GHSA-4V9Q-HM2P-68C4 Spoofing attack due to unvalidated KDC in node-krb5

Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. Recommendation It appears that this will remain unfixed indefinitely, ...

6.4AI score0.00615EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2020/09/01 3:57 p.m.26 views

Spoofing attack due to unvalidated KDC in node-krb5

Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. Recommendation It appears that this will remain unfixed indefinitely, ...

4.5AI score0.00615EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2020/09/01 3:17 p.m.29 views

Regular Expression Denial of Service in ansi2html

The ansi2html package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in. Proof of concept var ansi2html = require'ansi2html' var start = process.hrtime; ansi2html"1111111111111111111111;0000000000000000000000";...

7.5CVSS7.2AI score0.01151EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2020/09/01 3:16 p.m.21 views

GHSA-MVMF-CVFX-QG55 Regular Expression Denial of Service in bleach

All versions of the bleach package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function. Recommendation The bleach package is not currently maintained, and has not seen an update since 2014. To mitigate this issue, it is...

5.3CVSS6.4AI score0.0172EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2020/09/01 3:16 p.m.25 views

Regular Expression Denial of Service in bleach

All versions of the bleach package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function. Recommendation The bleach package is not currently maintained, and has not seen an update since 2014. To mitigate this issue, it is...

4.4AI score0.0172EPSS
Exploits0References4Affected Software1
Node.js
Node.js
added 2020/02/28 2:0 p.m.20 views

Improper Authorization

Overview All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. Recommendatio...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/10/31 8:32 p.m.18 views

Path Traversal

Overview All versions of statics-server are vulnerable to Path Traversal. The package fails to limit access to files outside of the served folder through symlinks. Recommendation No fix is currently available. Do not use statics-server in production or consider using an alternative module until a...

6.8AI score
Exploits0Affected Software1
OSV
OSV
added 2019/09/11 11:1 p.m.9 views

GHSA-5W65-6875-RHQ8 Undefined Behavior in sailsjs-cacheman

All versions of sailsjs-cacheman have a vulnerability that may lead to Undefined Behavior. The config variable is exposing to the global scope which may overwrite other variables and cause the application to misbehave. Recommendation No fix is currently available. Consider using an alternative...

7.1AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2019/09/11 11:1 p.m.17 views

Undefined Behavior in sailsjs-cacheman

All versions of sailsjs-cacheman have a vulnerability that may lead to Undefined Behavior. The config variable is exposing to the global scope which may overwrite other variables and cause the application to misbehave. Recommendation No fix is currently available. Consider using an alternative...

3.9AI score
Exploits0References4Affected Software1
Node.js
Node.js
added 2019/09/04 3:40 p.m.12 views

Path Traversal

Overview All versions of public are vulnerable to Path Traversal. This vulnerability allows an attacker to access files outside the webroot since it allows symlink navigation in the URL. Recommendation No fix is currently available. Do not use public in production or consider using an alternative...

6.7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/19 7:58 p.m.14 views

Path Traversal

Overview All versions of file-static-server are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative module until a f...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/19 12:11 a.m.15 views

Prototype Pollution

Overview All versions of mergify are vulnerable to Prototype Pollution. The mergify function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/18 11:16 p.m.22 views

Path Traversal

Overview All versions of buttle are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

5CVSS3.7AI score0.01918EPSS
Exploits1Affected Software1
Node.js
Node.js
added 2019/06/17 6:9 p.m.15 views

Command Injection

Overview All versions of wizard-syncronizer are vulnerable to Command Injection. The package does not validate input on the cloneAndSync function and concatenates it to an exec call. This can be abused through a malicious widget containing the payload in the gitURL value or through a MITM attack...

7.1AI score
Exploits0Affected Software1
OSV
OSV
added 2019/06/13 4:12 p.m.7 views

GHSA-6FMM-47QC-P4M4 Unauthorized File Access in harp

All versions of harp are vulnerable to Unauthorized File Access. If a symlink in the project's base directory points to a file outside of the directory, the file is served. This could allow an attacker to access sensitive files on the server. Recommendation No fix is currently available. Consider...

5.3CVSS5AI score0.01485EPSS
Exploits1References3
Rows per page
Query Builder