CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2018/06/04 7:29 p.m.•7 views

CVE-2016-10697

9.3CVSS8.3AI score0.00735EPSS

CVE•added 2018/06/04 7:0 p.m.•39 views

CVE-2016-10697

The vulnerability CVE-2016-10697 affects react-native-baidu-voice-synthesizer, which downloads resources over HTTP. The underlying issue is unencrypted network requests, enabling MITM interception and potential remote code execution by substituting resources with attacker-controlled copies. Multi...

9.3CVSS8.2AI score0.00735EPSS

Exploits0References1Affected Software1

Cvelist•added 2018/06/04 7:0 p.m.•13 views

CVE-2017-16028

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG Math.random...

6.2AI score0.00232EPSS

Exploits0References2

Cvelist•added 2018/06/04 7:0 p.m.•12 views

CVE-2016-10697

8.3AI score0.00735EPSS

CVE•added 2018/06/04 7:0 p.m.•56 views

CVE-2017-16028

CVE-2017-16028 affects IBM Tivoli Netcool/OMNIbus WebGUI via the React/Node.js component (react-native-meteor-oauth) using a weak RNG (Math.random) for OAuth tokens. Remediation: upgrade WebGUI to 8.1.0 Fix Pack 28 (affecting 8.1.0 FP27 and earlier).

5.3CVSS5.1AI score0.00232EPSS

Exploits0References2Affected Software1

Node.js•added 2018/05/17 8:43 p.m.•553 views

Cross-Site Scripting

Overview All versions of react-marked-markdown are vulnerable to cross-site scripting XSS via href attributes. This is exploitable if user is provided to react-marked-markdown Proof of concept: import React from 'react' import ReactDOM from 'react-dom' import MarkdownPreview from...

5.9AI score

Node.js•added 2018/05/16 4:36 p.m.•498 views

Cross-Site Scripting

Overview Versions of react-svg before 2.2.18 are vulnerable to cross-site scripting xss. This is due to the fact that scripts found in SVG files are run by default. Recommendation Update to version 2.2.18 or later. References - GitHub PR 57 - GitHub Advisory...

6.2AI score

The Hacker Blog•added 2018/05/16 1:33 p.m.•14 views

“I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies

Remediation TL;DR If you’re a concerned Signal user please update to the latest version of Signal Desktop fixed in version v1.11.0 which addresses all of these issues. Note that the mobile apps for Signal were not affected by this issue. Background Information If you’re an avid follower of all th...

6.1CVSS7AI score0.00428EPSS

Exploits1

Node.js•added 2018/05/15 11:46 p.m.•11 views

Malicious Package

Overview Version 0.0.7 of react-server-native contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.7 of this module is found...

6.9AI score

Node.js•added 2018/05/15 11:45 p.m.•11 views

Malicious Package

Overview Version 0.3.0 of react-dates-sc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.3.0 of this module is found...

6.9AI score

Veracode•added 2018/05/14 3:4 a.m.•11 views

Cross-Site Scripting (XSS)

react-marked-markdown is vulnerable to cross-site scripting XSS. The vulnerability exists because it does not sanitize the href values to XSS-free string...

6.1AI score

Veracode•added 2018/04/30 7:44 a.m.•7 views

Cross-site Scripting (XSS)

react-svg is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the default configuration of allowing scripts to be evaluated, despite being documented otherwise, allowing malicious scripts to be executed when rendered...

5.7AI score

Hacker One•added 2018/04/27 7:35 p.m.•41 views

Node.js third-party modules: The react-marked-markdown module allows XSS injection in href values.

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report XSS in...

0.5AI score

Jake Archibald's Blog•added 2018/02/27 2:47 p.m.•15 views

Third party CSS is not safe

A few days ago there was a lot of chatter about a 'keylogger' built in CSS. Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third part...

7.3AI score

Information Security Automation•added 2018/01/24 5:19 p.m.•1495 views

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0

Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at "Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome". Killing feature of Vulners web scanner v. 2.0 is...

6.8AI score

Jake Archibald's Blog•added 2017/10/31 11:2 a.m.•17 views

Netflix functions without client-side React, and it's a good thing

A few days ago Netflix tweeted that they'd removed client-side React.js from their landing page and they saw a 50% performance improvement. It caused a bit of a stir. This shouldn't be a surprise The following: 1. Download HTML & CSS in parallel. 2. Wait for CSS to finish downloading & execute it...

7AI score

CNVD•added 2017/07/24 12:0 a.m.•1 views

ABB VSN300 WiFi Logger Card and VSN300 WiFi Logger Card for React Privilege Access Control Vulnerability

The ABB VSN300 WiFi Logger Card and the VSN300 WiFi Logger Card for React are both wireless data logger card products from Asea Brown Boveri ABB, Switzerland. A security vulnerability exists in the ABB VSN300 WiFi Logger Card and VSN300 WiFi Logger Card for React, which stems from the program...

6.5CVSS7AI score0.00282EPSS