fiskit (>=0.0.27 <=0.0.28) potentially affected by CVE-2016-10660 via fis-parser-sass-bin (=1.0.1)

fis-parser-sass-bin NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on fis-parser-sass-bin and may be impacted: - fiskit =0.0.27, =0.0.28 Source cves: CVE-2016-10660 Source advisory: OSV:GHSA-5PQ8-2Q24-MJ3P...

GHSA-5PQ8-2Q24-MJ3P Downloads Resources over HTTP in fis-parser-sass-bin

Affected versions of fis-parser-sass-bin insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

fis-parser-sass-bin remote code execution vulnerability

fis-parser-sass-bin is a fis-based plugin for compiling sass using node-sass-binaries. A security vulnerability exists in fis-parser-sass-bin, which originates when a program downloads an executable file over an unencrypted HTTP connection. A remote attacker could exploit the vulnerability by...

Man-in-the-Middle (MitM)

fis-parser-sass-bin is susceptible to man-in-the-middle MitM attacks. The attacker can download binary resources via HTTP, allowing MitM attacks. Since the attacker can replace the requested binary with its controlled binary if the attacker is on the network or positioned in between the user and...

CVE-2016-10660

fis-parser-sass-bin a plugin for fis to compile sass using node-sass-binaries. fis-parser-sass-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker...

Remote code execution

fis-parser-sass-bin a plugin for fis to compile sass using node-sass-binaries. fis-parser-sass-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker...

CVE-2016-10660

CVE-2016-10660 affects the fis-parser-sass-bin plugin used to compile Sass via node-sass-binaries. The vulnerability arises because the plugin downloads binary resources over HTTP, allowing a network-positioned attacker to perform a MITM interception and replace the requested binary with a malici...

Downloads Resources over HTTP

Overview Affected versions of fis-parser-sass-bin insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...