CVE-2013-7451

The CVE concerns the validator module for Node.js, specifically the version range before 1.1.0. The root cause is a bypass of the cross-site scripting (XSS) filter via a nested tag, enabling remote attackers to bypass input sanitization. The vulnerability is documented for CVE-2013-7451 and is re...

CVE-2014-9772

The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting XSS filter via hex-encoded characters...

CVE-2015-8854

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service CPU consumption via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service ReDoS."...

CVE-2015-8855

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS."...

CVE-2015-8859

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors...

CVE-2013-7452

The CVE-2013-7452 issue affects the Node.js validator module prior to version 1.1.0. The root cause is a flaw that allows remote attackers to bypass the cross-site scripting (XSS) filter when processing a crafted javascript URI. The impact described is bypassing the XSS filter; no other effects a...

CVE-2013-7454

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting XSS filter via nested forbidden strings...

CVE-2015-8860

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive...

CVE-2013-7453

CVE-2013-7453 affects the validator module for Node.js prior to version 1.1.0. The vulnerability allows remote attackers to bypass the cross-site scripting (XSS) filter through vectors related to UI redressing, enabling potential bypass of input-filtering protections. Documented impact is limited...

CVE-2016-4055

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service CPU consumption via a long string, aka a "regular expression Denial of Service ReDoS."...

CVE-2015-8862

mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting XSS attacks by leveraging a template with an attribute that is not quoted...

CVE-2013-7454

Removed by vendor...

CVE-2013-7452

Removed by vendor...

CVE-2015-8315

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS."...

CVE-2015-8856

Cross-site scripting XSS vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name...

About the security content of Xcode 8.1 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. For more information about security, se...

Important: Red Hat Security Advisory: rh-nodejs4-nodejs and rh-nodejs4-http-parser security update

An update for rh-nodejs4-nodejs and rh-nodejs4-http-parser is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

nodejs: wildcard certificates not properly validated

It was found that Node.js' tls.checkServerIdentity function did not properly validate server certificates containing wildcards. A malicious TLS server could use this flaw to get a specially crafted certificate accepted by a Node.js TLS client...

GLSA-201612-43 : Node.js: Multiple vulnerabilities

The remote host is affected by the vulnerability described in GLSA-201612-43 Node.js: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Node.js. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of...

Downloads Resources over HTTP

Overview imageoptim is a Node.js wrapper for some images compression algorithms. imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested tarball with an attacker controlled...