CVE-2017-15871

The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function" substring, as demonstrated by a "functionconsole.log" call or a simple infinite loop. NOTE: the vendor agrees that...

CVE-2017-15871

The CVE-2017-15871 entry affects the deserialize function in serialize-to-js (versions ≤ 1.1.1). Affected input involving an Immediately Invoked Function Expression substring (e.g., function(){console.log(…)}) can cause a denial of service. The vendor acknowledges the DoS risk and states deserial...

PT-2017-14251 · Unknown · Serialize-To-Js

Name of the Vulnerable Software and Affected Versions: serialize-to-js versions 1.1.1 and earlier Description: The issue allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function" substring. This can be demonstrated by a...

For the Node. js in the node-serialize module deserialization vulnerability the subsequent analysis-vulnerability warning-the black bar safety net

Of the Node. js serialization remote command execution vulnerabilities of a number of follow-up found and how to develop the attack load. A few days ago I was in opsecx blog found an article How to use a named node-serialize nodejs module in the RCE remote code execution error blog. The article...

Node-serialize Package For Node.js 'unserialize()' Function Arbitrary Code Execution Vulnerability

Node.js is an open source, cross-platform, runtime environment for server-side and web applications. Node.js has a security vulnerability in the node-serialize module that allows an attacker to execute arbitrary code via IIFE if the unserialize function input is not secure...

Node.js suffers from a deserialization remote code execution vulnerability

Node.js is a Javascript runtime. It is actually a wrapper around the Google V8 engine. In fact, it is the Google V8 engine package . Node.js is a platform based on the Chrome JavaScript runtime built for easy to build responsive , easy to extend the web application . A deserialization remote code...

Code Execution Through IIFE

Overview Affected versions of serialize-to-js may be vulnerable to arbitrary code execution through an Immediately Invoked Function Expression IIFE. Proof of Concept var payload = "e: function eval'console.logexploited' " var serialize = require'serialize-to-js'; serialize.deserializepayload;...

Code injection

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...

CVE-2017-5954

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...

CVE-2017-5954

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...

CVE-2017-5954

The CVE-2017-5954 entry concerns the Node.js package serialize-to-js (v0.5.0). An attacker can inject untrusted data into deserialize() to achieve arbitrary code execution via a JavaScript Object containing an IIFE. Documented references (OSV GHSA and npm advisories) confirm a remote code executi...

Remote Code Execution Via Deserialisation Of Untrusted Object

node-serialize is vulnerable to remote code execution. The vulnerability exists when an untrusted user input is passed via Immediately Invoked Function Expression IIFE to unserialize function which uses eval internally for deserialization...

CVE-2017-5941

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...

CVE-2017-5941

CVE-2017-5941 affects node-serialize version 0.0.4 for Node.js, where untrusted input passed to unserialize() can be crafted as an IIFE to achieve remote code execution. Public writeups (e.g., Packet Storm and Exploit-DB entries) show an RCE payload using the IIFE to spawn a shell via child_proce...

Code Execution through IIFE

Overview Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and...

The React application in the most common XSS exploits and Defense-vulnerability warning-the black bar safety net

The author has been firmly React technology stack of the user, and therefore will pay attention to the React application security related topics. The author in my ownReact+Redux+Webpack2scaffolding the third level also uses a lot of server-side rendering/isomorphism straight out of the technology...

SugarCRM REST Unserialize PHP Code Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'SugarCRM REST Unserialize PHP Code Execution', 'Description' = %q This module exploits a PHP Object Injection vulnerability in...

SugarCRM 6.5.23 - REST PHP Object Injection (Metasploit)

SugarCRM 6.5.23 - REST PHP Object Injection Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'SugarCRM REST Unserialize PHP Code Execution', 'Description' = %q This...

Bomgar Remote Support - Unauthenticated Code Execution (Metasploit)

Exploit for linux platform in category remote exploits This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Bomgar Remote Support Unauthenticated Code Execution', 'Description' = %q Thi...

Bomgar Remote Support - Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Bomgar Remote Support Unauthenticated Code Execution', 'Description' = %q This module exploits a vulnerability in the Bomgar Remote...