nodejs-lodash: command injection via template

A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables...

ReDoS in Sec-Websocket-Protocol header

Impact A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Proof of concept js for const length of 1000, 2000, 4000, 8000, 16000, 32000 const value = 'b' + ' '.repeatlength + 'x'; const start = process.hrtime.bigint; value.trim.split/...

CVE-2021-32640

A flaw was found in nodejs-ws. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. Mitigation In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the...

CommScope Ruckus IoT Controller 1.7.1.0 Web Application Arbitrary Read/Write

KL-001-2021-006: CommScope Ruckus IoT Controller Web Application Arbitrary Read/Write Title: CommScope Ruckus IoT Controller Web Application Arbitrary Read/Write Advisory ID: KL-001-2021-006 Publication Date: 2021.05.26 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-006.t...

Fedora: Security Advisory for python-fastapi (FEDORA-2021-e7fabd81fb)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CommScope Ruckus IoT Controller Web Application Arbitrary Read/Write

Vulnerability Details Affected Vendor: CommScope Affected Product: Ruckus IoT Controller Affected Version: 1.7.1.0 and earlier Platform: Linux CWE Classification: CWE-250: Execution with Unnecessary Privileges CVE ID: CVE-2021-33217 2. Vulnerability Description The IoT Controller web application...

CVE-2021-23386

Remote memory exposure vulnerability was found in nodejs dns-packet library. The buffers created with allocUnsafe are not always filled before forming the network packets and an attacker can use this vulnerability to potentially get access to internal application memory over non encrypted network...

DEBIAN-CVE-2021-33502

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS regular expression denial of service issue because it has exponential performance for data: URLs...

DoraCMS Encryption Problem Vulnerability

DoraCMS is based on Nodejs+eggjs+mongodb written a content management system . An encryption issue vulnerability exists in DoraCMS 2.1.1 and earlier versions. The vulnerability arises because the program does not use AES-CBC encryption with random salts or IVs, which makes user-encrypted password...

openSUSE Security Update : nodejs-underscore (openSUSE-2021-601)

This update for nodejs-underscore fixes the following issues : Update version to 1.13.1 - Fix security issue boo1184800, CVE-2021-23358 - Fix bugs - Many new features %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...

CVE-2019-20149

A flaw was found in nodejs-kind-of. An external user is allowed input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': 'name':'Symbol'. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result...

OESA-2021-1168 nodejs-hosted-git-info security update

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab Security Fixes: The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected...

nodejs 资源管理错误漏洞

nodejs is a JavaScript runtime environment based on the ChromeV8 engine by wrapping the Chromev8 engine and using event-driven and non-blocking IO applications make it possible to develop high-performance backend applications in Javascript. A resource management error vulnerability exists in...

Moderate: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.2.3 security and bug fix update

Red Hat Advanced Cluster Management for Kubernetes 2.2.3 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a...

CVE-2021-23343

A flaw was found in nodejs-path-parse. All versions of package path-parse are vulnerable to Regular Expression Denial of Service ReDoS via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity...

CVE-2021-23383

A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system e.g. browser or server when the template is compiled with the...

Node.js mixme 安全漏洞

Npm mixme is an application from the American company Npm. It is used to recursively merge multiple objects. The last object takes precedence over previous objects. A security vulnerability exists in Node.js mixme 0.5.0, which can be exploited by an attacker to add or change the properties of an...

PT-2021-17969 · Npm · Node.Js Mixme

Name of the Vulnerable Software and Affected Versions: Node.js mixme versions prior to 0.5.1 Description: The issue allows an attacker to add or alter properties of an object via proto through the mutate and merge functions. The polluted attribute will be directly assigned to every object in the...

CVE-2021-29486

cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. In versions prior to 2.0.0 apps using this library on improper data may crash or go into an infinite-loop. In the case of a nodejs...

PT-2021-18248 · Npm · Cumulative-Distribution-Function

Name of the Vulnerable Software and Affected Versions: cumulative-distribution-function versions prior to 2.0.0 Description: The issue arises when the cumulative-distribution-function library is used with improper data, potentially causing apps to crash or enter an infinite loop. This can occur i...