CVE-2016-10612

dalek-browser-ie-canary downloads binary resources over HTTP, enabling MitM and potential remote code execution if an attacker on the network intercepts and replaces the binary. Affected: dalek-browser-ie-canary (Internet Explorer bindings for DalekJS). Root cause: unencrypted HTTP delivery of ex...

CVE-2016-10632

CVE-2016-10632 affects apk-parser2, which downloads binary resources over HTTP. In network positions where an attacker can intercept traffic, the executable could be swapped with a malicious one, potentially leading to remote code execution on the host running apk-parser2. There is no patch avail...

CVE-2016-10574

apk-parser3 before 0.1.3 downloads binary resources over HTTP, enabling MITM tampering and potential remote code execution if an attacker can swap the binary between the user and the server. Affected component: apk-parser3 (Android Manifest extraction feature). Impact per sources: code execution ...

CVE-2016-10581

CVE-2016-10581 concerns the Steroids library (PhoneGap on Steroids), which downloads zipped resources over HTTP. The description states this makes it vulnerable to MITM attacks and, if an attacker can position themselves between the user and the server, may allow remote code execution by swapping...

CVE-2016-10600

The CVE-2016-10600 entry concerns the webrtc-native component, which uses WebRTC from the Chromium project. The vulnerability arises because webrtc-native downloads binary resources over HTTP, enabling a man‑in‑the‑middle attacker to intercept or replace the binary and potentially achieve remote ...

CVE-2016-10631

CVE-2016-10631 affects the jvminstall module, which downloads binaries over HTTP. The root cause is insecure HTTP downloads, enabling MITM interception and the possibility of swapping the binary with a poisoned one, potentially causing remote code execution if an attacker sits between the user an...

CVE-2016-10624

Summary: The CVE concerns selenium-chromedriver, which downloads the Selenium WebDriver for Google Chrome over HTTP, making it vulnerable to MITM manipulation. In such a scenario, an attacker on the network could replace the binary with a malicious one, potentially enabling remote code execution ...

CVE-2016-10585

CVE-2016-10585 affects libxl bindings for Node.js. The library downloads zipped resources over HTTP, enabling MITM attacks that could allow an attacker in a privileged network position to swap the downloaded zip with a malicious one, potentially causing remote code execution on the host running l...

CVE-2016-10599

The CVE-2016-10599 issue affects sauce-connect (Node.js wrapper around SauceConnect.jar). It arises because sauce-connect downloads binaries over HTTP, enabling MITM tampering where an attacker between the user and the server can replace the binary, potentially causing remote code execution on th...

CVE-2016-10604

dalek-browser-chrome downloads binary resources over HTTP, enabling MITM-style tampering. In network-position scenarios, an attacker can swap the requested binary with a malicious one, potentially executing code on the user’s system. The advisory notes that no patch is currently available and rec...

CVE-2016-10606

The CVE-2016-10606 issue affects grunt-webdriver-qunit, a Grunt plugin for running QUnit with WebDriver. The root cause is insecurely downloading a binary over HTTP, enabling an attacker with a privileged network position to intercept and substitute the binary, potentially leading to remote code ...

CVE-2016-10580

Summary: nodewebkit downloads zipped resources over HTTP, which enables MITM modification of the downloaded payload to execute arbitrary code on the host. In exposed network positions, an attacker can intercept and swap the zip file, leading to potential RCE on systems running nodewebkit. Public ...

CVE-2016-10615

The CVE-2016-10615 issue affects the curses package, where the library downloads binary resources over HTTP. The underlying problem is insecure HTTP delivery, enabling a MitM attacker to swap the requested binary, potentially leading to remote code execution on the host. The connected advisories ...

CVE-2016-10620

The CVE-2016-10620 issue affects the atom-node-module-installer, which downloads binaries over HTTP. This enables MitM manipulation of the downloaded executable, potentially enabling remote code execution if an attacker is on the network or between the user and the server. The practical impact is...

CVE-2016-10628

CVE-2016-10628 affects selenium-wrapper, a Selenium server wrapper for installation and Chrome WebDriver. The issue arises because it downloads binary resources over HTTP, enabling a Man-in-the-Middle (MITM) attacker to intercept and potentially swap the binary with a malicious one, which could l...

CVE-2016-10595

The CVE-2016-10595 issue affects the jdf-sass package, a fork of node-sass, which downloads resources over HTTP. The underlying root cause is unencrypted HTTP transfers allowing an attacker with a privileged network position to MITM the responses and swap in a malicious executable, potentially le...

CVE-2016-10565

operadriver is a Opera Driver for Selenium. operadriver versions below 0.2.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the attack...

CVE-2016-10562

iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions below 3.0.0 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if...

CVE-2016-10571

bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-wand versions lower than 0.3.2 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controll...

CVE-2016-10572

mongodb-instance before 0.0.3 installs mongodb locally. mongodb-instance downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the attacker ...