CVE-2020-6836

grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may...

Code injection

grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may...

CVE-2020-6836

The CVE-2020-6836 entry refers to an arbitrary code injection in the hot-formula-parser package for Node.js, caused by grammar-parser.jison when parsing user-supplied input. Versions prior to 3.0.1 concatenate input into an eval call, enabling an attacker-controlled formula to execute arbitrary c...

Node.js: CRLF Injection in legacy url API (url.parse().hostname)

Summary: There is CRLF Injection in legacy url.hostname API. Description: During the recent penetration test, I have found a whitelist bypass using CRLF Injection. We did a code review and determined the issue is in a legacy url.hostname API. Not sure if it's a known issue or not, I wasn't able t...

CVE-2018-12116

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to...

DEBIAN-CVE-2014-3743

Multiple cross-site scripting XSS vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 gfm codeblocks language or 2 javascript url's...

CVE-2014-3743

Multiple cross-site scripting XSS vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 gfm codeblocks language or 2 javascript url's...

CVE-2014-3743

Multiple cross-site scripting XSS vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 gfm codeblocks language or 2 javascript url's...

CVE-2014-3743

Multiple cross-site scripting XSS vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 gfm codeblocks language or 2 javascript url's. sanitize: true Even if this option is set, marked is vulnerable to...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 gfm codeblocks language or 2 javascript url's...

CVE-2014-3743

Multiple cross-site scripting XSS vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 gfm codeblocks language or 2 javascript url's...

CVE-2014-3743

Multiple cross-site scripting XSS vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 gfm codeblocks language or 2 javascript url's...

CVE-2014-3743

CVE-2014-3743 affects the Node.js Marked module (before 0.3.1). The vulnerability is due to cross-site scripting in two vectors: gfm codeblocks (language) and javascript: URLs, allowing remote attackers to inject arbitrary script/HTML. The OSV and NVD records corroborate XSS in Marked prior to 0....

Node.js third-party modules: Denial Of Service in Strapi Framework using argument injection

I would like to report Denial Of Service in Strapi Framework.It allows attacker to force restart the server using argument injection. Module module name: strapi version: 3.0.0-beta.18.3 and earlier npm page: https://www.npmjs.com/package/strapi Module Description The Strapi HTTP layer sits on top...

NewStart CGSL CORE 5.05 / MAIN 5.05 : http-parser Multiple Vulnerabilities (NS-SA-2019-0257)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has http-parser packages installed that are affected by multiple vulnerabilities: - The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to b...

F5 Networks BIG-IP : NodeJS vulnerability (K63025104)

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the...

CVE-2018-12122

It was found that Node.js HTTP server was vulnerable to a Slowloris type attack. An attacker could make long lived connections by sending bytes very slowly to the server, saturating its resource and possibly resulting in a denial of service. Mitigation The use of a Load Balancer or a Reverse Prox...

Pown.js - A Security Testing An Exploitation Toolkit Built On Top Of Node.js And NPM

Pown.js is a security testing and exploitation toolkit built on top of Node.js and NPM. Unlike traditional security tools like Metasploits, Pown.js considers frameworks to be an anti-pattern. Therefore, each module in Pown is in fact a standalone NPM module allowing greater degree of reuse and...

Node.js third-party modules: [http-live-simulator] Application-level DoS

The http-live-simulator npm package has an application level DoS vulnerability...

December 2019 Security Releases

December 2019 Security Releases Update 18-December-2019 Releases available These releases update npm to v6.13.4 to address three vulnerabilities described below. All current release lines were affected. At this time, CVEs have been requested by npm, Inc. and are pending review. See...