Path traversal

augustine node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path...

CVE-2017-0930

The CVE-2017-0930 entry concerns the Node.js package augustine, a static HTTP server. A lack of URL validation enables a path traversal vulnerability in the file-serving component, allowing an attacker to read arbitrary files outside the web root (as demonstrated by crafted GET requests such as /...

CVE-2017-0928

CVE-2017-0928 affects the html-janitor node module. The root cause is external control of the _sanitized variable, allowing sanitization bypass and enabling cross-site scripting (XSS). All versions are reported vulnerable (per multiple advisories), with remediation/mitigation guidance to upgrade ...

CVE-2017-0930

augustine node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path...

CVE-2016-10663

wixtoolset is a Node module wrapper around the wixtoolset binaries wixtoolset downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker controlled copy if the...

Remote code execution

wixtoolset is a Node module wrapper around the wixtoolset binaries wixtoolset downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker controlled copy if the...

CVE-2016-10663

CVE-2016-10663 affects wixtoolset (Node wrapper around wixtoolset binaries): it downloads binary resources over HTTP, enabling MITM modification of the requested file and potentially remote code execution. Descriptions across multiple sources confirm the root cause is unencrypted HTTP downloads t...

CVE-2016-10663

wixtoolset is a Node module wrapper around the wixtoolset binaries wixtoolset downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker controlled copy if the...

Man-in-the-Middle (MitM)

atom-node-module-installer is vulnerable to man-in-the-middle MitM attacks. This is because they download binary resources via HTTP, allowing MitM attacks. Also, it may potentially cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the...

CVE-2016-10620

atom-node-module-installer installs node modules for atom-shell applications. atom-node-module-installer binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled...

Remote code execution

atom-node-module-installer installs node modules for atom-shell applications. atom-node-module-installer binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled...

CVE-2016-10620

The CVE-2016-10620 issue affects the atom-node-module-installer, which downloads binaries over HTTP. This enables MitM manipulation of the downloaded executable, potentially enabling remote code execution if an attacker is on the network or between the user and the server. The practical impact is...

CVE-2016-10620

atom-node-module-installer installs node modules for atom-shell applications. atom-node-module-installer binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled...

CVE-2015-9235

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key RS/ES family of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm HS family...

CVE-2016-10541

The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape "" and "" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection...

CVE-2018-3733

crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path...

CVE-2018-3734

stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path...

CVE-2015-9243

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions like origin, a higher level config that included security restrictions like origin would have those restrictions...

CVE-2015-9244

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape which could lead to SQL Injection...

CVE-2014-10068

The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when showHidden is false...