36 matches found
GHSA-QW3G-35HC-FCRH Cross-Site Scripting (XSS) in restify
Affected versions of restify are susceptible to a cross-site scripting vulnerability when using URL encoded script tags in a non-existent URL. Proof of Concept: Request https://localhost:3000/no5such3file7.pl?%22%3E%3Cscript%3Ealert73541;%3C/script%3E Will be included in response: alert73541;...
Cross-Site Scripting (XSS) in restify
Affected versions of restify are susceptible to a cross-site scripting vulnerability when using URL encoded script tags in a non-existent URL. Proof of Concept: Request https://localhost:3000/no5such3file7.pl?%22%3E%3Cscript%3Ealert73541;%3C/script%3E Will be included in response: alert73541;...
GHSA-CGJX-MWPX-47JV Private Data Disclosure in express-restify-mongoose
Affected versions of express-restify-mongoose are susceptible to an information leakage vulnerability which may allow an attacker to access fields on a model even if those fields are marked as private. Proof of Concept If you have a user model that you want to protect, such as the following User...
Private Data Disclosure in express-restify-mongoose
Affected versions of express-restify-mongoose are susceptible to an information leakage vulnerability which may allow an attacker to access fields on a model even if those fields are marked as private. Proof of Concept If you have a user model that you want to protect, such as the following User...
Restify Cross-Site Scripting Vulnerability
Restify a framework for building REST APIs using Connect middleware . A cross-site scripting vulnerability exists in Restify versions 2.0.0 through 4.0.4. A remote attacker can exploit this vulnerability to execute script in a browser...
CVE-2017-16018
Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...
CVE-2017-16018
Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...
Design/Logic Flaw
Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...
CVE-2017-16018
Restify vulnerability CVE-2017-16018 affects the restify framework (versions 2.0.0 through 4.0.4). The issue is a Cross‑Site Scripting (XSS) vulnerability that occurs when URL encoded script tags are used in a non-existent URL, allowing an attacker to run script in some browsers. The practical im...
CVE-2017-16018
Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...
express-restify-mongoose information disclosure vulnerability
express-restify-mongoose is a tool for creating interfaces for Mongoose Model. A security vulnerability exists in express-restify-mongoose version 2.4.2 and earlier and versions 3.0.X through 3.0.1. An attacker can exploit the vulnerability by sending a request to obtain the passwords of all user...
CVE-2016-10533
express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for GET /User?distinct=password and get all the passwords for all the users in the...
CVE-2016-10533
CVE-2016-10533 affects express-restify-mongoose. Vulnerable versions (2.4.2 and earlier, and 3.0.X through 3.0.1) allow a malicious user to abuse GET /User?distinct=password to retrieve all user passwords, bypassing private field protections. The root cause is information leakage through listing/...
Cross-Site Scripting (XSS)
Overview Affected versions of restify are susceptible to a cross-site scripting vulnerability when using URL encoded script tags in a non-existent URL. Proof of Concept: Request https://localhost:3000/no5such3file7.pl?%22%3E%3Cscript%3Ealert73541;%3C/script%3E Will be included in response:...
Private Data Disclosure
Overview Affected versions of express-restify-mongoose are susceptible to an information leakage vulnerability which may allow an attacker to access fields on a model even if those fields are marked as private. Proof of Concept If you have a user model that you want to protect, such as the...
V8 Memory Corruption and Stack Overflow (fixed in Node v0.8.28 and v0.10.30)
V8 Memory Corruption and Stack Overflow fixed in Node v0.8.28 and v0.10.30 A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may...