Lucene search
K

107 matches found

NCSC
NCSC
added 2021/09/08 12:0 a.m.8 views

Vulnerabilities fixed in Google Android

Google has fixed vulnerabilities in the Android OS. A malicious party could misuse the vulnerabilities to gain access to sensitive data or give himself elevated privileges. To do this, the malicious party must trick the victim into installing a rogue app to install. The vulnerability with referen...

10CVSS7AI score0.00796EPSS
Exploits0
Hacker One
Hacker One
added 2020/09/29 11:9 a.m.45 views

Node.js third-party modules: [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files

Summary I would like to report path traversal in zenn-cli. It allows the attacker to read arbitrary .md files. Module module name: zenn-cli version: 0.1.39 npm page: https://www.npmjs.com/package/zenn-cli Module Description Manage Zenn content locally 👩‍💻 Module Stats 885 weekly downloads...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/09/02 6:5 p.m.18 views

Node.js third-party modules: [curling] Remote Code Execution

I would like to report RCE in curling I can bypass the security check for special characters, read / overwrite file Module module name: curling version: 1.1.0 npm page: https://www.npmjs.com/package/curling Module Description A node wrapper for curl with a very simple api. Module Stats 156 weekly...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2020/05/21 3:34 p.m.213 views

Node.js third-party modules: Bypass of SSRF Vulnerability

Bypass of SSRF report https://hackerone.com/reports/793704 Fix applied after reporting the actual report did not prevent from SSRF issue. https://github.com/TryGhost/Ghost/commit/47739396705519a36018686894d1373e9eb92216diff-3aa52b4b8c6e0fb8422de65648e35887R101 The function fetchOembedData only...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2020/05/03 10:10 a.m.19 views

Node.js third-party modules: [xps] Command Injection via insecure command concatenation

I would like to report a Command Injection issue in the xps module. It allows to execute arbitrary commands on the victim's PC. Module module name: xps version: 1.0.2 npm page: https://www.npmjs.com/package/xps Module Description xps is a cross-platform library for listing and killing processes...

0.8AI score
Exploits0
Veracode
Veracode
added 2020/04/22 8:49 a.m.18 views

Information Disclosure

simplesamlphp is vulnerable to information disclosure. It does not properly handle a request with an uppercase file extension '.PHP', causing the server to disclose the contents of the file by sending to the browser instead of executing it and therefore leaking the sensitive source code in...

3.1CVSS1.5AI score0.00922EPSS
Exploits0References2Affected Software1
UbuntuCve
UbuntuCve
added 2020/04/21 8:15 p.m.32 views

CVE-2020-5301

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the...

3.5CVSS5.9AI score0.00922EPSS
Exploits0References1
Cvelist
Cvelist
added 2020/04/21 7:50 p.m.40 views

CVE-2020-5301 Information disclosure of source code in SimpleSAMLphp

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the...

3CVSS3.6AI score0.00922EPSS
Exploits0References2
Hacker One
Hacker One
added 2020/03/09 1:43 p.m.41 views

Node.js third-party modules: [Limited bypass of #793704] Blind SSRF in Ghost CMS

Blind SSRF vulnerability in Ghost allows for internal port scanning, or reading oembed contents from internal network...

5.5CVSS2.4AI score0.0122EPSS
Exploits1
Hacker One
Hacker One
added 2020/01/20 5:3 p.m.255 views

Node.js third-party modules: [klona] Prototype pollution

I would like to report Prototype pollution in klona It allows adding arbitrary property to Prototype while deep cloning an object Module module name: klona version: Hunter's comments and funny memes goes here F690469 Impact Denial of Service and possible Remote code execution by overriding object...

7.5CVSS0.9AI score0.04118EPSS
Exploits1
Hacker One
Hacker One
added 2020/01/11 10:55 p.m.26 views

Node.js third-party modules: [blamer] RCE via insecure command formatting

I would like to report a RCE issue in the blamer module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: blamer version: 0.1.13 npm page: https://www.npmjs.com/package/blamer Module Description Blamer is a tool for get information about author of code...

7.5CVSS1.3AI score0.04164EPSS
Exploits1
Hacker One
Hacker One
added 2019/12/26 12:4 p.m.13 views

Node.js third-party modules: [http-live-simulator] Application-level DoS

The http-live-simulator npm package has an application level DoS vulnerability...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2019/11/05 9:10 p.m.16 views

Node.js third-party modules: [gity] RCE via insecure command formatting

I would like to report a RCE issue in the gity module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: gity version: 1.0.5 npm page: https://www.npmjs.com/package/gity Module Description A nice Git wrapper for Node. Module Stats 3/4 downloads in the las...

1.2AI score
Exploits0
Hacker One
Hacker One
added 2019/10/31 1:23 p.m.30 views

Node.js third-party modules: Crash Node.js process from handlebars using a small and simple source

I would like to report Denial of service in handlebars. It allows an attacker to crush Node.js process with a small and simple source. Module module name: handlebars version: 4.5.1 npm page: https://www.npmjs.com/package/handlebars Module Description Handlebars.js is an extension to the Mustache...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2019/10/22 12:6 p.m.94 views

Node.js third-party modules: Prototype pollution in dot-prop

I would like to report a parameter pollution in dot-prop It allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation DoS, access to sensitive data, RCE. Module module name: dot-prop version: 5.1.1 npm page:...

7.5CVSS0.3AI score0.03079EPSS
Exploits1
Hacker One
Hacker One
added 2019/10/20 11:52 a.m.26 views

Node.js third-party modules: [git-lib] RCE via insecure command formatting

I would like to report a RCE issue in the git-lib module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: git-lib version: 1.6.0 npm page: https://www.npmjs.com/package/git-lib Module Description A library that contains different methods to be consumed ...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2019/10/17 3:59 p.m.19 views

Node.js third-party modules: Stored XSS (Hexo-admin plugin)

I would like to report Stored XSS in Hexo-admin It allows The Post editor functionality in the hexo-admin plugin 3.9.0 for Node.js is vulnerable to stored XSS via the content of a post. Module module name: Hexo-admin version: 3.9.0 npm page: https://www.npmjs.com/package/hexo-admin Module...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2019/09/12 3:55 p.m.27 views

Node.js third-party modules: [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure

I would like to report a unauthenticated access/authorization bypass issue in the expressjs-ip-control module. It allows to bypass the whitelist IP check in order to bypass the authorization check and possibly expose sensitive datas. Module module name: MODULE NAME version: MODULE VERSION npm pag...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/09/10 6:29 p.m.94 views

Node.js third-party modules: [reveal.js] XSS by calling arbitrary method via postMessage

I would like to report XSS in reveal.js It allows gaining access to the victim's account and performing actions on his behalf Module module name: reveal.js version: 3.8.0 npm page: https://www.npmjs.com/package/reveal.js Module Description A framework for easily creating beautiful presentations...

4.3CVSS6.1AI score0.01197EPSS
Exploits1
Cvelist
Cvelist
added 2019/08/02 9:10 p.m.24 views

CVE-2019-7849

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2...

7.5AI score0.01151EPSS
Exploits0References1
Rows per page
Query Builder