Lucene search
K

107 matches found

Hacker One
Hacker One
added 2019/07/27 6:2 p.m.40 views

Node.js third-party modules: Command Injection vulnerability in kill-port-process package

I would like to report a command injection vulnerability in the kill-port-process package. It allows an attacker to inject arbitrary commands. Module module name: kill-port-process version: 1.1.0 npm page: https://www.npmjs.com/package/kill-port-process Module Stats 0 downloads in the last day 13...

10CVSS1.3AI score0.03905EPSS
Exploits1
Hacker One
Hacker One
added 2019/06/26 8:19 p.m.134 views

Node.js third-party modules: Command Injection due to lack of sanitisation of tar.gz filename passed as an argument to pm2.install() function

Hi Guys, It's been a while : I would like to report Command Injection in pm2.import function when tar.gz archive is installed with a name provided as user controlled input. Due to lack of proper validation of tar.gz archive filename, this vulnerability allows to inject arbitrary commands and...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2019/06/24 5:18 p.m.17 views

Node.js third-party modules: Application level denial of service due to shutting down the server

Module module name: http-live-simulator version: 1.0.7 npm page: https://www.npmjs.com/package/http-live-simulator Description I've found a way to crash the server due to the way it parses URL Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the server :...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2019/02/14 10:41 p.m.33 views

Node.js third-party modules: [url-parse] Improper Validation and Sanitization

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Improper...

5CVSS0.7AI score0.01652EPSS
Exploits1
Hacker One
Hacker One
added 2018/09/19 11:6 a.m.25 views

Node.js third-party modules: [http-live-simulator] Path traversal vulnerability

Module module name: http-live-simulator version: 1.0.6 npm page: https://www.npmjs.com/package/http-live-simulator Description this vulnerability is a bypass for the one found in this report in version 1.0.5 Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the...

5CVSS0.4AI score0.0165EPSS
Exploits1
Hacker One
Hacker One
added 2018/08/06 2:28 p.m.19 views

Node.js third-party modules: Code Injection Vulnerability in dot Package

I would like to report a code injection vulnerability in dot. It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack. Module module name: dot version: 1.1.2 npm page: https://www.npmjs.com/package/dot Module Description Created in search of th...

6.5CVSS0.8AI score0.02138EPSS
Exploits1
Hacker One
Hacker One
added 2018/07/12 8:43 a.m.26 views

Node.js third-party modules: Prototype pollution attack (defaults-deep / constructor.prototype)

I would like to report a prototype pollution vulnerability in defaults-deep. It allows an attacker to inject properties on Object.prototype. Module module name: defaults-deep version: 0.2.4 npm page: https://www.npmjs.com/package/defaults-deep Module Description Like extend but recursively copies...

7.5CVSS0.6AI score0.01481EPSS
Exploits1
Hacker One
Hacker One
added 2018/05/29 6:4 a.m.35 views

Node.js third-party modules: [serve] Server Directory Traversal

I would like to report a Server Directory Traversal vulnerability in serve. It allows reading local files on the target server. Module module name: serve version: 7.0.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page...

5CVSS7.2AI score0.0221EPSS
Exploits1
Hacker One
Hacker One
added 2018/05/27 2:40 p.m.52 views

Node.js third-party modules: [buttle] Path traversal in mid-buttle module allows to read any file in the server.

Hello Node.js third-party modules I would like to report path traversal in buttle module It allows me to read any file in the server if i know the path. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Description Simple static file + markdown server...

5CVSS7.4AI score0.01918EPSS
Exploits1
Hacker One
Hacker One
added 2018/05/21 1:15 p.m.26 views

Node.js third-party modules: [servey] Path Traversal allows to retrieve content of any file with extension from remote server

Hi Team, I would like to report a partial Path Traversal in servey module. It allows to read content of any arbitrary file with extension from the server. Module module name: servey version: 2.2.0 npm page: https://www.npmjs.com/package/servey Module Description A static & single page application...

5CVSS7.6AI score0.01986EPSS
Exploits1
Hacker One
Hacker One
added 2018/04/09 9:23 a.m.19 views

Node.js third-party modules: [localhost-now] bypassing url filter which leads to read content of arbitrary file

Hi guys, i can bypass url filter in localhost-now module. It allows to read content of arbitrary files on the remote server. Module module name: localhost-now version: 1.0.2 npm page: https://www.npmjs.com/package/localhost-now Module Stats 26 downloads in the last week Vulnerability Description...

5CVSS7.7AI score0.0221EPSS
Exploits1
Hacker One
Hacker One
added 2018/04/04 4:9 p.m.10 views

Node.js third-party modules: npm packages that overlap with core node packages

Hi, I have posted here, but I wanted to make you aware of this easy social engineering trick. I do not want to claim any of these are currently malicious, but it they easily could be. Thanks, Marc Impact The attacker could do anything...use the postinstall as the user, work the same as steal data...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2018/03/29 2:49 p.m.38 views

Node.js third-party modules: [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser

I would like to report HTML Injection in buttle module. Due to lack of filenames sanitization, it is possible to inject malicious iframe tag via filename and execute arbitray JavaScript code. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Descripti...

4.3CVSS1.3AI score0.01172EPSS
Exploits0
Hacker One
Hacker One
added 2018/02/27 4:40 a.m.32 views

Node.js third-party modules: `concat-with-sourcemaps` allocates uninitialized Buffers when number is passed as a separator

I would like to report an uninitialized Buffer allocation issue in concat-with-sourcemaps. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in unlikely setups where separator is attacker-controlled. Module module name:...

0.8AI score
Exploits0
Hacker One
Hacker One
added 2018/02/26 2:13 p.m.51 views

Node.js third-party modules: [m-server] Path Traversal allows to display content of arbitrary file(s) from the server

I would like to report Path Traversal in m-server module. It allows to read content of any arbitrary file from the server where m-server is installed and run. Module module name: m-server version: 1.4.0 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http...

4CVSS0.4AI score0.01333EPSS
Exploits1
Hacker One
Hacker One
added 2018/02/15 8:3 a.m.28 views

Node.js third-party modules: [public] Stored XSS in filenames in directory served by public

Hi Guys, public allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. I put https://www.npmjs.com/package/public in Weakness section - 'Where is the stored content accessible?' because it does not allowed me to open report with...

4.3CVSS5.8AI score0.00759EPSS
Exploits1
Hacker One
Hacker One
added 2018/02/01 2:1 p.m.39 views

Node.js third-party modules: Prototype pollution attack (deep-extend)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the deep-extend library. Module: deep-extend Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...

7.5CVSS1.8AI score0.02147EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/31 8:38 p.m.55 views

Node.js third-party modules: [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server

Hi Guys, crud-file-server allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...

4.3CVSS6.2AI score0.01046EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/31 2:46 a.m.63 views

Node.js third-party modules: Prototype pollution attack (assign-deep)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the assign-deep library. Module: assign-deep Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of...

6.5CVSS8.9AI score0.02019EPSS
Exploits1
Hacker One
Hacker One
added 2018/01/31 2:41 a.m.72 views

Node.js third-party modules: Prototype pollution attack (merge-objects)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-objects library. Module: merge-object Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part ...

7.5CVSS1.1AI score0.01428EPSS
Exploits1
Rows per page
Query Builder