Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud

Summary OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js for IBM Cloud. IBM SDK for Node.js for IBM Cloud has addressed the applicable CVEs. Node.js vulnerabilities were disclosed by the Node.js foundation. Node.js is used by IBM SDK for Node.j...

Security Bulletin: IBM API Connect is affected by a denial of service vulnerability in Node.js (CVE-2019-5737)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-5737 DESCRIPTION: Node.js is vulnerable to a denial of service. By establishing an HTTP or HTTPS connection in keep-alive mode and sending headers very slowly to force the connection and...

Node.js third-party modules: [public] Path traversal using symlink

I would like to report Path traversal vulnerability in public module Module module name: public version: 0.1.4 npm page: https://www.npmjs.com/package/public Module Description Run static file hosting server with specified public dir & port. Support a "direcotry index" like Apache httpd. Module...

Node.js third-party modules: Lack of input validation and sanitization in react-autolinker-wrapper library causes XSS

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report XSS in...

Node.js: Multiple HTTP/2 DOS Issues

A security researcher has conducted a broad survey of HTTP/2 implementations to investigate common Denial of Service attack vectors. The Node.js implementation has been found to be subject to a number of these issues. On the plus side, we're not the only ones! ;- ... This work is still under...

mysql Node.JS Module Vulnerable to Remote Memory Exposure

Versions of mysql before 2.14.0 are vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 are affected due to a throw added in...

GHSA-5F7M-MMPC-QHH4 mysql Node.JS Module Vulnerable to Remote Memory Exposure

Versions of mysql before 2.14.0 are vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 are affected due to a throw added in...

Node.js third-party modules: [static-server-gx] Path Traversal allowing to read any files on the server

I would like to report path traversal vulnerability in module "static-server-gx" It allows an attacker to read any files even system files via this path traversal vulnerability. Module module name: static-server-gx version: 1.2.1 npm page: https://www.npmjs.com/package/static-server-gx Module...

Node.js third-party modules: [larvitbase-www] Unintended Require

I would like to report Unintended Require vulnerability in larvitbase-www It is similar to bug found here 566056 because the module is maintained by the same developer, but it is a different module and the code behind the vulnerability is different. It allows loading arbitary non-production code ...

EulerOS Virtualization 3.0.1.0 : thrift (EulerOS-SA-2019-1458)

According to the versions of the thrift packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security...

Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management V2018

Summary There are multiple vulnerabilities in Node.js used by IBM® Cloud App Management V2018. IBM® Cloud App Management has addressed the applicable CVEs in a later version. Vulnerability Details CVEID: CVE-2018-12122 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper...

Node.js third-party modules: [http_server] Path Traversal allowing to read any files on the server

I would like to report path traversal vulnerability in module "httpserver" It allows an attacker to read any files even system files via this path traversal vulnerability. Module module name: httpserver version: 1.0.12 npm page: https://www.npmjs.com/package/httpserver Module Description 一个静态服务器...

Node.js third-party modules: [hnzserver] Path Traversal allowing to read any files on the server

I would like to report path traversal vulnerability in module "hnzserver" It allows an attacker to read any files even system files via this path traversal vulnerability. Module module name: hnzserver version: 2.0.6 npm page: https://www.npmjs.com/package/hnzserver Module Description 静态服务器 means...

CVE-2018-18524

Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on t...

Cross site scripting

Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulnerability. An attacker can use this XSS issue to inject Node.js code under Present mode. After a victim opens an affected note under Present mode, the attacker can read the victim's files and achieve remote execution command on t...

CVE-2018-18524

Evernote for Windows (v6.15) contains a stored cross-site scripting vulnerability (CVE-2018-18524) that is described as an incorrectly repaired issue in Present mode. An attacker can exploit this in affected notes to read victim files and achieve remote command execution on the user’s machine. Mu...

Node.js third-party modules: [min-http-server] Stored XSS in the filename when directories listing

I would like to report Stored XSS in module "min-http-server". It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability. Module module name: min-http-server version: 1.0.6 npm page:...

Node.js third-party modules: [http-file-server] Stored XSS in the filename when directories listing

I would like to report Stored XSS in module "http-file-server". It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability. Module module name: http-file-server version: 0.2.6 npm page:...

Node.js third-party modules: [http-file-server] List any files and sub folders in the folder by using path traversal.

I would like to report Path Traversal in http-file-server. It allows to list any files and sub folders in another folder of web root. Module module name: http-file-server version: 0.2.6 npm page: https://www.npmjs.com/package/http-file-server Vulnerability Vulnerability Description http-file-serv...

Node.js third-party modules: [statichttpserver] List any file in the folder by using path traversal.

I would like to report Path Traversal in statichttpserver. It allows to list any file in another folder of web root. Module module name: statichttpserver version: 0.9.7 npm page: https://www.npmjs.com/package/statichttpserver Module Description 'statichttpserver' is inspired by SimpleHTTPServer.p...