Security Bulletin: Multiple vulnerabilities in modules from the IBM SDK for Node.js affect the Cordova tools packaged in Rational Developer for i Modernization Tools Java Edition and Rational Developer for AIX and Linux (CVE-2014-7191 and CVE-2014-7192)

Summary Security vulnerabilities have been discovered in the syntax-error and qs modules packaged in the IBM SDK for Node.js and Cordova platform packaged in Rational Developer for i Modernization Tools Java Edition and Rational Developer for AIX and Linux. The fix upgrades IBM SDK for Node.js to...

Security Bulletin: Node.js Package Manager (npm) Bearer Token Vulnerability affects IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-3956)

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. A vulnerability in the Node Package Manager's use of HTTP bear...

Security Bulletin: Two ReDoS vulnerabilities in modules included in the Node.js npm tool affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. Two ReDoS vulnerabilities in modules included in the Node.js n...

Security Bulletin: Multiple vulnerabilities in Node.js affects IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. Multiple Node.js vulnerabilities have been discovered that...

Node.js third-party modules: Code Injection Vulnerability in zombie Package

I would like to report a code injection vulnerability in zombie. It allows crawled websites to access privileged APIs such as the file system or child process. Module module name: zombie version: 6.1.2 npm page: https://www.npmjs.com/package/zombie Module Description Insanely fast, headless...

Node.js third-party modules: Command Injection Vulnerability in kill-port Package

I would like to report a command injection vulnerability in kill-port. It allows an attacker to inject arbitrary commands. Module module name: kill-port version: 1.3.1 npm page: https://www.npmjs.com/package/kill-port Module Description Kill the process running on given port Module Stats 5,282...

Moderate severity vulnerability that affects moment

Withdrawn, accidental duplicate publish. The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service CPU consumption via a long string, aka a "regular expression Denial of Service ReDoS."...

Moderate severity vulnerability that affects is-my-json-valid

Withdrawn, accidental duplicate publish. The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports'utc-millisec' regular expression, which allows remote attackers to cause a denial of service blocked event loop via a crafted string...

Uber: [experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools

A configuration file on experience.uber.com exposed details for the server configuration as well as information about the content hosted on the site. The site itself did require authentication to log in, but this config file was publicly accessible. Other accessible URLs included slide deck...

Node.js third-party modules: [egg-scripts] Command injection

I would like to report a command injection vulnerability in egg-scripts. It allows arbitrary shell command execution through a maliciously crafted command line argument. Module module name: egg-scripts version: 2.6.0 npm page: https://www.npmjs.com/package/egg-scripts Module Description "deploy...

UPDATE: OWASP Dependency-Check 3.3.0

PenTestIT RSS Feed My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 3.3.0, which includes a lot of bug...

GHSA-WM77-Q74P-5763 Path Traversal in superstatic

Affected of superstatic are vulnerable to path traversal when used on Windows. Additionally, it is vulnerable to path traversal on other platforms combined with certain Node.js versions which erroneously normalize \ to / in paths on all platforms a known example being Node.js v9.9.0...

Path Traversal in superstatic

Affected of superstatic are vulnerable to path traversal when used on Windows. Additionally, it is vulnerable to path traversal on other platforms combined with certain Node.js versions which erroneously normalize \ to / in paths on all platforms a known example being Node.js v9.9.0...

The vulnerability of the GetInfoCommand function in the PDF file conversion software pdf-image for Node.js allows a hacker to execute arbitrary commands on the server.

The vulnerability of the GetInfoCommand function in the PDF conversion software for Node.js lies in the lack of mechanisms to neutralize special elements in the input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code using a specially crafted request...

FF Password Exporter - Easily Export Your Passwords From Firefox

It can be difficult to export your passwords from Firefox. Since version 57 of Firefox Quantum existing password export addons no longer work. Mozilla provides no other official alternatives. FF Password Exporter makes it quick and easy to export all of your passwords from Firefox. You can use FF...

Critical severity vulnerability that affects dns-sync

Withdrawn, accidental duplicate publish. The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function...

Node.js third-party modules: [flintcms] Account takeover due to blind MongoDB injection in password reset

I would like to report a privilege escalation vulnerability in flintcms. It allows to reset a known user password, extract its password reset token and reset its password to then access the account. Module module name: flintcms version: v.1.1.9 npm page: https://www.npmjs.com/package/flintcms...

Regular Expression Denial of Service in parsejson

Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation The parsejson package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in...

Passenger: Multiple Vulnerabilities

Background Passenger runs and manages your Ruby, Node.js, and Python apps. Description Multiple vulnerabilities have been discovered in Passenger. Please review the CVE identifiers referenced below for details. Impact A remote attacker could escalate privileges, execute arbitrary code, cause a...

Node.js third-party modules: http-live-simulator npm module is prone to path traversal attacks

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Path Traversal...