CVE-2015-5380

CVE-2015-5380 affects Google V8 (as used by Node.js and io.js) where Utf8DecoderBase::WriteUtf16Slow may not verify memory for a UTF-16 surrogate pair. This can enable a remote attacker to trigger denial of service via a crafted byte sequence, potentially causing memory corruption. Affected versi...

Joyent Node.js 'unicode.cc' Denial of Service Vulnerability

Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...

Critical DoS Bug in Node.js, io.js Patched

Developers at Node.js over the weekend released a critical update to the open source runtime environment that addresses a bug that could be used to cause denial of service attacks. The JavaScript framework is used in one way or another by a handful of companies, including Netflix, PayPal, the New...

Security Updates for Node.js and io.js

Networking applications using Node.js or io.js contain a vulnerability in the V8 JavaScript engine. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition. Available updates include: node.js-v0.12.6 io.js-v2.2.3 io.js-v1.8.3 Users and administrators...

node, iojs, and v8 -- denial of service

node reports: This release of Node.js fixes a bug that triggers an out-of-band write in V8's utf-8 decoder. This bug impacts all Buffer to String conversions. This is an important security update as this bug can be used to cause a denial of service attack...

Vulnerability in RC4 stream cipher affects AIX,Vulnerability in RC4 stream cipher affects ftpd/sendmail_ssl/imapd/popd on AIX,Vulnerability in RC4 stream cipher affects ftpd/sendmail_ssl/imapd/popd on VIOS

IBM SECURITY ADVISORY First Issued: Mon Apr 27 15:27:04 CDT 2015 | Updated: Tue Dec 15 11:54:19 CST 2015 | Update: Added all information for ftpd, sendmailssl, imapd, and popd The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/rc4advisory.a...

[SECURITY] Fedora 20 Update: nodejs-0.10.36-3.fc20

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

libuv 'process.c' local elevation of privilege vulnerability

libuv is a web IO library extension for Node.js web application platform. A local elevation of privileges vulnerability exists in libuv. An attacker can exploit this vulnerability to gain elevated privileges or disclose sensitive information...

Arbitrary Command Execution Through Shell Metacharacters In API Arguments

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function. This vulnerability is a duplicate of CVE-2017-16100...

[SECURITY] Fedora 21 Update: nodejs-0.10.36-3.fc21

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

CVE-2014-9682

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function...

Code injection

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function...

CVE-2014-9682

The dns-sync module for Node.js (versions before 0.1.1) is affected by CVE-2014-9682. The underlying issue allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function, enabling remote code execution or command executi...

CVE-2014-9682

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function...

[SECURITY] Fedora 20 Update: rubygem-passenger-4.0.53-3.fc20

Phusion Passenger=C2=AE is a web server and application server, designed to be fast, robust and lightweight. It takes a lot of complexity out of deploying web a pps, adds powerful enterprise-grade features that are useful in production, and makes administration much easier and less complex. It...

Joyent Node.js Sequelize SQL Injection Vulnerability

Joyent Node.js is the United States Joyent company's set of web applications built on Google V8 JavaScript engine on top of the platform. Sequelize is one of the database ORM object-relational mapping tool. A SQL injection vulnerability exists in Joyent Node.js Sequelize. A remote attacker can...

Joyent Node.js marked incomplete blacklist vulnerability

Joyent Node.js is the United States Joyent company's set of web applications built on Google V8 JavaScript engine on top of the platform. marked is one of the Markdown a lightweight markup language parser and compiler . An incomplete blacklist vulnerability exists in Joyent Node.js marked. A remo...

CVE-2015-1370

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting XSS attacks via a vbscript tag in a link...

CVE-2015-1370

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting XSS attacks via a vbscript tag in a link...

CVE-2015-1369

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter...