August 2019 Security Releases

August 2019 Security Releases Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all...

Node.js -- multiple vulnerabilities

Node.js reports: Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all active Node....

CVE-2019-13030

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addons configuration pages and a...

Improper access control

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addons configuration pages and a...

CVE-2019-13030

The CVE-2019-13030 entry concerns the eQ-3 Homematic CCU3 AddOn “Mediola NEO Server for Homematic CCU3” vulnerable before version 2.4.5. The root cause is improper access control on addon configuration pages and a missing check in rc.d/97NeoServer, allowing an unauthenticated admin to start/stop ...

CVE-2019-13030

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addons configuration pages and a...

Unspecified Vulnerability in mysql for Node.js

mysql for Node.js is a MySQL driver for Node.js written in JavaScript. A security vulnerability exists in version 2.17.1 of mysql for Node.js. No details of the vulnerability are provided at this time...

CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

UBUNTU-CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

Buffer overflow

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

CVE-2019-14939

CVE-2019-14939 affects the mysqljs/mYSQL module for Node.js (version 2.17.1). The issue is that the LOAD DATA LOCAL INFILE option is enabled by default, enabling potential exposure of data via local file loading. The CVSS3 vector indicates LOCAL attack vector, LOW complexity, with LOW privileges ...

CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

Node.js third-party modules: Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report a denial of...

Security Bulletin: Multiple vulnerabilities in node JS (core and 3rd party modules) affect IBM API Connect

Summary API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-16487 DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request, a remote attacker could exploit this...

Node.js third-party modules: [seeftl] Stored XSS when directory listing via filename.

I would like to report Stored XSS via filename in directory listing in seeftl It allows to inject malicious input in a filename that leads to stored XSS when directories listing. Module module name: seeftl version: 0.1.1 npm page: https://www.npmjs.com/package/seeftl Module Description seeftl --...

Security Bulletin: Secure Gateway is affected by a Denial of Service vulnerability (CVE-2019-5428)

Summary Secure Gateway has addressed the following vulnerability: CVE-2019-5428 Vulnerability Details CVEID: CVE-2019-5428 DESCRIPTION: Node.js jQuery module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request to inject properties on...

Node.js third-party modules: Command Injection vulnerability in kill-port-process package

I would like to report a command injection vulnerability in the kill-port-process package. It allows an attacker to inject arbitrary commands. Module module name: kill-port-process version: 1.1.0 npm page: https://www.npmjs.com/package/kill-port-process Module Stats 0 downloads in the last day 13...