4303 matches found
UBUNTU-CVE-2018-7160
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the...
DEBIAN-CVE-2018-7158
The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service ReDoS vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, splitPathRe, used within the...
SUSE-SU-2018:1183-1 Security update for nodejs6
This update for nodejs6 fixes the following issues: - Fix some node-gyp permissions - New upstream LTS release 6.14.1: Security fixes: + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability bsc1087463 + CVE-2018-7158: Fix for 'path' module regular expression denial of service bsc1087459 +...
Node.js third-party modules: Stored XSS in Node-Red
I would like to report a stored XSS in node-red It allows to execute javascript in the user's browser Module module name: node-red version: v0.18.4 npm page: https://www.npmjs.com/package/node-red Module Description A visual tool for wiring the Internet of Things. Module Stats 1,758 downloads in...
Node.js third-party modules: [entitlements] Command injection on the 'path' parameter
Hello again, another command injection, this time on the entitlements module. Module module name: entitlements version: 1.2.0 npm page: https://www.npmjs.com/package/entitlements Module Description check the entitlements of a .app bundle Module Stats 26 downloads in the last day 328 downloads in...
CVE-2018-1109
A vulnerability was found in nodejs-braces. Affected versions of this package are vulnerable to Regular expression Denial of Service ReDoS attacks. The highest threat from this vulnerability is system availability...
Node.js third-party modules: Command injection in 'pdf-image'
I would like to report command injection in pdf-image It allows executing commands on the server Module module name: pdf-image version: 1.0.5 npm page: https://www.npmjs.com/package/pdf-image Module Description Provides an interface to convert PDF's pages to png files in Node.js by using...
SUSE-SU-2018:0952-1 Security update for nodejs4
This update for nodejs4 fixes the following issues: - Fix some node-gyp permissions - New upstream maintenance 4.9.1: Security fixes: + CVE-2018-7158: Fix for 'path' module regular expression denial of service bsc1087459 + CVE-2018-7159: Reject spaces in HTTP Content-Length header values bsc10874...
Node.js: Out of order TLS handshake / application data messages lead to segmentation fault
Summary: IMPORTANT NOTE: I have already been working with the NodeJS core security team on this issue and have provided core files, POC and many other pieces of information. I was told by James Snell to report via Hackerone to make it official however all the relevant details on this issue have...
Fedora 26 : 1:nodejs (2018-e672eaf4df)
https://nodejs.org/en/blog/release/v8.11.0/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...
Fedora Update for nodejs FEDORA-2018-e672eaf4df
The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora 27 : 1:libuv / 1:nodejs (2018-ecf73042e3)
https://nodejs.org/en/blog/release/v8.11.0/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...
Fedora Update for nodejs FEDORA-2018-ecf73042e3
The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Node.js third-party modules: [pdfinfojs] Command Injection on filename parameter
Hello , there is a Command Injection vulnerability on the "pdfinfojs" module. Module module name: pdfinfojs version: 0.3.6 npm page: https://www.npmjs.com/package/pdfinfojs Module Description pdfinfo shell wrapper for Node.js Module Stats 10 downloads in the last day 61 downloads in the last week...
Node.js third-party modules: Bypass to defective fix of Path Traversal
I would like to report a Path Traversal vulnerability in localhost-now. It allows to read arbitrary files on the server. This is a bypass on the mitigation of 312889 . Module module name: localhost-now version: 1.0.2 npm page: https://www.npmjs.com/package/localhost-now Module Description Am I th...
Directory Traversal
nodejsccc is vulnerable to directory traversal attacks. The vulnerability exists due to the lack of ../ sanitization on the user input, allowing attackers to access files outside of the server's scope...
Directory Traversal
nodejsliamgb is vulnerable to directory traversal attacks. The vulnerability exists due to the lack of ../ sanitization on the user input, allowing attackers to access files outside of the server's scope...
XVNA - Extreme Vulnerable Node Application
XVNA is an extreme vulnerable node application coded in NodejsExpressjs/MongoDB that helps security enthusiasts to learn application security. it's not counseled to host this application online as it is intended to be Vulnerable. We tend to suggest hosting this application in native setting and...
Joyent Node.js moment module denial of service vulnerability
Joyent Node.js is the United States Joyent company's set of web applications built on Google V8 JavaScript engine on top of the platform . moment is one of the JavaScript date processing library . A security vulnerability exists in the Joyent Node.js moment module. The vulnerability can be...
ejs vulnerable to DoS due to weak input validation
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in ejs.renderFile...