EUVD-2019-0293

Malware in sbrugna...

GHSA-GC6C-5V9W-XMHW Downloads Resources over HTTP in nodewebkit

Affected versions of nodewebkit insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Downloads Resources over HTTP in nodewebkit

Affected versions of nodewebkit insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

chrome-js (>=0.1.8 <=0.2.0), cpos (>=0.1.3 <=0.1.9) +20 more potentially affected by CVE-2016-10580 via nodewebkit (>=0.10.0-rc1-3 <=0.11.6)

nodewebkit NPM version =0.10.0-rc1-3, =0.1.8, =0.1.3, =0.1.0, =0.0.1, =0.1.0, =0.0.1, =0.0.24, =1.6.1, =0.0.0, =0.1.0, =1.0.1, =0.0.0, =0.0.22 and more Source cves: CVE-2016-10580 Source advisory: OSV:GHSA-GC6C-5V9W-XMHW...

Remote code execution

nodewebkit is an installer for node-webkit. nodewebkit downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the...

CVE-2016-10580

nodewebkit is an installer for node-webkit. nodewebkit downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the...

CVE-2016-10580

nodewebkit is an installer for node-webkit. nodewebkit downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the...

CVE-2016-10580

nodewebkit is an installer for node-webkit. nodewebkit downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the...

CVE-2016-10580

Summary: nodewebkit downloads zipped resources over HTTP, which enables MITM modification of the downloaded payload to execute arbitrary code on the host. In exposed network positions, an attacker can intercept and swap the zip file, leading to potential RCE on systems running nodewebkit. Public ...

Man In The Middle (MitM)

nodewebkit is vulnerable to man-in-the-middle MitM attacks. This is because the library downloads zipped resources via HTTP, allowing MitM attacks. It may also cause remote code execution RCE by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the...

Downloads Resources over HTTP

Overview Affected versions of nodewebkit insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...