CVE-2018-7159

It was found that the http module from Node.js could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers. A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior...

Security Bulletin: Version 8.15.0 of Node.js included in IBM Cloud Event Management 2.3.0 has several security vulnerabilities.

Summary Security Bulletin: Version 8.15.0 of Node.js included in IBM Cloud Event Management 2.3.0 has several security vulnerabilities. Vulnerability Details CVE-ID: CVE-2019-9516 Description: Multiple vendors are vulnerable to a denial of service, caused by a 0-Length Headers Leak attack. By...

Node.js third-party modules: Stored XSS (Hexo-admin plugin)

I would like to report Stored XSS in Hexo-admin It allows The Post editor functionality in the hexo-admin plugin 3.9.0 for Node.js is vulnerable to stored XSS via the content of a post. Module module name: Hexo-admin version: 3.9.0 npm page: https://www.npmjs.com/package/hexo-admin Module...

thrift: Improper Access Control grants access to files outside the webservers docroot path

A flaw was found in the Node.js static web server in Apache Thrift, where it allowed a remote user to access files outside of the set web servers' docroot path. An attacker could use this flaw to possibly access unauthorized files and sensitive information...

CVE-2019-17625

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron,...

CVE-2019-17625

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron,...

Cross site scripting

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron,...

CVE-2019-17625

CVE-2019-17625 affects Rambox 0.6.9 with a stored XSS in the name field when adding/editing a service. The root cause is incorrect sanitization of the name field, enabling a payload that can trigger code execution in Node.js/Electron, e.g., via an onerror attribute in an IMG element. Connected so...

CVE-2019-17625

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron,...

NewStart CGSL CORE 5.04 / MAIN 5.04 : http-parser Multiple Vulnerabilities (NS-SA-2019-0208)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has http-parser packages installed that are affected by multiple vulnerabilities: - The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to b...

CVE-2019-17592

The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The isInt function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option...

CVE-2019-17592

The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The isInt function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option...

Design/Logic Flaw

The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The isInt function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option...

CVE-2019-17592

CVE-2019-17592 affects Node.js csv-parse prior to 4.4.6, where a malformed regular expression in the __isInt() function under the cast option enables a Denial of Service with crafted input. The vulnerability is tied to the csv-parse module, with CVSS v3.1 base score 7.5 (high) and CVSS v2 base sc...

CVE-2019-17592

The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The isInt function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option...

Important: Red Hat Security Advisory: rh-nodejs8-nodejs security update

An update for rh-nodejs8-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

nodejs: Slowloris HTTP Denial of Service

It was found that Node.js HTTP server was vulnerable to a Slowloris type attack. An attacker could make long lived connections by sending bytes very slowly to the server, saturating its resource and possibly resulting in a denial of service...

nodejs: Denial of Service with large HTTP headers

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the headers, it is possible to cause the HTTP...

Important: Red Hat Security Advisory: rh-nodejs10-nodejs security update

An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Important: Red Hat Security Advisory: nodejs:10 security update

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...