7913 matches found
Node.js third-party modules: [npm-git-publish] RCE via insecure command formatting
I would like to report a RCE issue in the npm-git-publish module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: npm-git-publish version: 0.2.4-beta npm page: https://www.npmjs.com/package/npm-git-publish Module Description Share/publish private packag...
Node.js third-party modules: [gity] RCE via insecure command formatting
I would like to report a RCE issue in the gity module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: gity version: 1.0.5 npm page: https://www.npmjs.com/package/gity Module Description A nice Git wrapper for Node. Module Stats 3/4 downloads in the las...
Node.js third-party modules: [meta-git] RCE via insecure command formatting
I would like to report a RCE issue in the meta-git module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: meta-git version: 1.1.2 npm page: https://www.npmjs.com/package/meta-git Module Description git plugin for meta Module Stats 60 downloads in the...
Node.js third-party modules: Crash Node.js process from handlebars using a small and simple source
I would like to report Denial of service in handlebars. It allows an attacker to crush Node.js process with a small and simple source. Module module name: handlebars version: 4.5.1 npm page: https://www.npmjs.com/package/handlebars Module Description Handlebars.js is an extension to the Mustache...
CVE-2019-17592
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The isInt function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option...
CVE-2018-12121
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the headers, it is possible to cause the HTTP...
CVE-2018-7161
All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug wher...
Amazon Linux 2 : http-parser (ALAS-2019-1322)
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the headers, it is possible to cause the HTTP...
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management
Summary There are vulnerabilities in Node.js used by IBM® Cloud App Management. IBM® Cloud App Management has addressed the applicable CVEs in a later version. Vulnerability Details CVEID: CVE-2019-9517 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by an Internal Dat...
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management
Summary There are vulnerabilities in Node.js used by IBM® Cloud App Management. IBM® Cloud App Management has addressed the applicable CVEs in a later version. Vulnerability Details CVEID: CVE-2019-9513 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Resource Loop...
CVE-2019-17606
The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post...
CVE-2019-17606
The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post...
Design/Logic Flaw
The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post...
CVE-2019-17606
CVE-2019-17606 : The hexo-admin plugin for Node.js (versions ≤ 2.3.0) is vulnerable to stored cross-site scripting via the content of a post in the Post editor. The root cause is lack of proper validation/escaping of user-supplied content, allowing an attacker to inject arbitrary JavaScript that ...
CVE-2019-17606
The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post...
Node.js third-party modules: Prototype pollution in dot-prop
I would like to report a parameter pollution in dot-prop It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation DoS, access to sensitive data, RCE. Module module name: dot-prop version: 5.1.1 npm page:...
CVE-2018-12115
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le', Bufferwrite can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last...
CVE-2018-7162
All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshak...
Medium: http-parser
Issue Overview: Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the headers, it is possible to...
Node.js third-party modules: [git-lib] RCE via insecure command formatting
I would like to report a RCE issue in the git-lib module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: git-lib version: 1.6.0 npm page: https://www.npmjs.com/package/git-lib Module Description A library that contains different methods to be consumed ...