CVE-2024-32962 XML signature verification bypass due improper verification of signature / signature spoofing

xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional...

CVE-2024-32962 XML signature verification bypass due improper verification of signature / signature spoofing

xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional...

libxmljs 安全漏洞

libxmljs is the LibXML binding for node.js. A security vulnerability exists in libxmljs2 that stems from the presence of a type confusion vulnerability...

Mongo-Express < 0.54.0 RCE

The version of the mongo-express Node.js module installed on the remote host is prior to 0.54.0. It is, therefore, affected by a remote code execution vulnerability via endpoints that use the 'toBSON' method. A misuse of the vm dependency allows performing 'exec' commands in a non-safe environmen...

libxmljs 安全漏洞

libxmljs is the LibXML binding for node.js. A security vulnerability exists in libxmljs that stems from the presence of a type confusion vulnerability...

Splunk Enterprise 8.1 < 8.1.13, 8.2.0 < 8.2.10, 9.0.0 < 9.0.4 (SVD-2023-0215)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0215 advisory. - Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very...

RHEL 8 : nodejs:16 (RHSA-2024:2651)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:2651 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes...

Security Bulletin: IBM Decision Optimization for Cloud Pak for Data may be vulnerable to a remote attacker (CVE-2024-28849)

Summary There is a vulnerability in follow-redirects used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-28849 DESCRIPTION: Node.js follow-redirects module could...

Express Detection (HTTP)

HTTP based detection of the Express Node.js web application framework and Node.js itself based on the Express detection. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Fedora 40 : nodejs20 (2024-2ffe03eaa6)

"The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-2ffe03eaa6 advisory. 2024-04-03, Version 20.12.1 'Iron' LTS, @RafaelGSS This is a security release Notable Changes CVE-2024-27983 - Assertion failed in...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2024-594)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-594 advisory. 2024-06-19: CVE-2024-27982 was added to this advisory. NOTE: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982 An attacker can make the Node.js HTTP/2 server...

Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2024-593)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-593 advisory. An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in...

Fedora 40 : nodejs18 (2024-2c52524694)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-2c52524694 advisory. 2024-04-10, Version 18.20.2 'Hydrogen' LTS, @RafaelGSS This is a security release. Notable Changes CVE-2024-27980 - Command injection via args parameter of...

Fedora 40 : pgadmin4 (2024-db558f6fb2)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-db558f6fb2 advisory. Fix CVE-2024-28849. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for thi...

ejs lacks certain pollution protection

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

GHSA-GHR5-CH3P-VCR6 ejs lacks certain pollution protection

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

CVE-2024-33883

CVE-2024-33883 : The Node.js module ejs (Embedded JavaScript templates) , up to version before 3.1.10, lacks certain pollution protection, enabling local attackers to potentially cause a denial of service. The connected IBM/Astra Linux references confirm the same description. Reported impact: den...