1327 matches found
Command Injection
Overview Versions of pdfinfojs before 0.4.1 are vulnerable to command injection. This is exploitable if an attacker can control the filename parameter that is passed into the pdfinfojs constructor. Recommendation Update to version 0.4.1 or later. References - HackerOne Report - Commit 5cc59cd -...
Cross-Site Scripting (XSS)
Overview Versions of cloudcmd before 9.1.6 are vulnerable to cross-site scripting XSS when listing files in a directory. The attacker must control the name of a file for this vulnerability to be exploitable. Recommendation Update to version 9.1.6 or later. References - HackerOne...
Path Traversal
Overview All versions of mcstatic are vulnerable to path traversal. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...
Malicious Package
Overview Version 0.0.7 of react-server-native contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.7 of this module is found...
Malicious Package
Overview Version 1.0.2 of oauth-validator contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...
Malicious Package
Overview Version 2.0.10 of json-serializer contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 2.0.10 of this module is found...
Malicious Package
Overview Version 0.0.4 of dossier contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.4 of this module is found installed you...
Malicious Package
Overview Version 1.0.2 of csstransformsupport contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...
Malicious Package
Overview Version 4.1.48 of another-date-range-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 4.1.48 of this module is...
Malicious Package
Overview Version 0.0.9 of angular-bmap contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.9 of this module is found installe...
Prototype Pollution
Overview Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Recommendation Update to version 0.5.1 or later. References - HackerOne Report - GitHub Advisory...
Prototype Pollution
Overview Versions of deap before 1.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.0.1 or later. References - HackerOne Report - GitHub Advisory...
Cross-Site Scripting
Overview All versions of public are vulnerable to stored cross-site scripting XSS. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...
Cross-Site Scripting
Overview All versions of bracket-template are vulnerable to stored cross-site scripting XSS. This is exploitable when a variable passed in via a GET parameter is used in a template. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use...
Cross-Site Scripting
Overview Versions of metascraper prior to 5.3.0 are vulnerable to stored cross-site scripting XSS. Recommendation Upgrade to version 5.3.0 or later. References - HackerOne Report - GitHub Advisory...
Remote Memory Exposure
Overview Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 ...
Memory Exposure
Overview Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: js require'request' method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy: protocol: 'http:',...
Memory Exposure
Overview Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write Versions 1.3.0 are not affected due to not using unguarded Buffer constructor. Recommendation Update to version 1.5.2, 1.4.11, 1.3.2 or later. If you are unable to update...
Denial of Service
Overview Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options proxy.auth being passed to Buffer. Recommendation Update to version 2.2.0 or later. References - index.js Line 207 - HackerOne Report - GitHub Advisory...
Path Traversal
Overview All versions of general-file-server are vulnerable to path traversal. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not use this module until a fix has been provided. References - HackerOne Report - GitHub Advisory...