1294 matches found
Out-of-bounds Read
Overview Versions of byte before 1.4.1 allocate uninitialized buffers and read data from them past the initialized length Recommendation Update to version 1.4.1 or later. References - HackerOne Report - PR 3 - GitHub Advisory...
Malicious Package
Overview ladder-text-js contained a malicious script that attempted to delete all files when npm test was run. Recommendation This module has been unpublished from the npm Registry. If you find this module in your environment remove it. References GitHub Advisory...
Malicious Package
Overview nothing-js contained a malicious script that attempted to delete all files when npm test was run. Recommendation This module has been unpublished from the npm Registry. If you find this module in your environment remove it. References GitHub Advisory...
Malicious Package
Overview The getcookies module contained a backdoor that would allow for a remote attacker to execute arbitrary commands on the system running the malicious module. Recommendation This module should be uninstalled if found used within an application. In addition to removing the installed module,...
Cross-Site Scripting
Overview Versions of react-svg before 2.2.18 are vulnerable to cross-site scripting xss. This is due to the fact that scripts found in SVG files are run by default. Recommendation Update to version 2.2.18 or later. References - GitHub PR 57 - GitHub Advisory...
Out-of-bounds Read
Overview Versions of atob before 2.1.0 uninitialized Buffers when number is passed in input on Node.js 4.x and below. Recommendation Update to version 2.1.0 or later. References - HackerOne Report - GitHub Advisory...
Out-of-bounds Read
Overview Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator. Recommendation Update to version 1.0.6 or later. References - HackerOne Report - Source Reference - GitHub Advisory...
Command Injection
Overview Versions of pdfinfojs before 0.4.1 are vulnerable to command injection. This is exploitable if an attacker can control the filename parameter that is passed into the pdfinfojs constructor. Recommendation Update to version 0.4.1 or later. References - HackerOne Report - Commit 5cc59cd -...
Cross-Site Scripting (XSS)
Overview Versions of cloudcmd before 9.1.6 are vulnerable to cross-site scripting XSS when listing files in a directory. The attacker must control the name of a file for this vulnerability to be exploitable. Recommendation Update to version 9.1.6 or later. References - HackerOne...
Path Traversal
Overview All versions of mcstatic are vulnerable to path traversal. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...
Malicious Package
Overview Version 0.0.7 of react-server-native contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.7 of this module is found...
Malicious Package
Overview Version 1.0.2 of oauth-validator contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...
Malicious Package
Overview Version 2.0.10 of json-serializer contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 2.0.10 of this module is found...
Malicious Package
Overview Version 0.0.4 of dossier contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.4 of this module is found installed you...
Malicious Package
Overview Version 1.0.2 of csstransformsupport contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...
Malicious Package
Overview Version 4.1.48 of another-date-range-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 4.1.48 of this module is...
Malicious Package
Overview Version 0.0.9 of angular-bmap contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.9 of this module is found installe...
Prototype Pollution
Overview Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Recommendation Update to version 0.5.1 or later. References - HackerOne Report - GitHub Advisory...
Prototype Pollution
Overview Versions of deap before 1.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.0.1 or later. References - HackerOne Report - GitHub Advisory...
Cross-Site Scripting
Overview All versions of public are vulnerable to stored cross-site scripting XSS. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...