25 matches found
EUVD-2021-0980
Malware in sbrugna...
Security Bulletin: A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager
Summary A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager. Vulnerability Details CVEID: CVE-2021-29469 DESCRIPTION: Node Redis redis module for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service flaw in...
Security Bulletin: A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager
Summary A security vulnerability in Node.js xmlhttprequest-ssl module affects IBM Cloud Automation Manager. Vulnerability Details CVEID: CVE-2020-28502 DESCRIPTION: Node.js xmlhttprequest and xmlhttprequest-ssl modules could allow a remote attacker to execute arbitrary code on the system, caused ...
1tp (>=0.0.1 <=0.11.2), 2d-json-schema-editor-visual (>=1.0.2 <=1.0.7) +2806 more potentially affected by CVE-2021-31597 via xmlhttprequest-ssl (>=1.5.1 <=1.5.5)
xmlhttprequest-ssl NPM version =1.5.1, =0.0.1, =1.0.2, =1.0.1, =4.11.25, =0.1.3, =0.0.15, =8.25.29, =1.0.0, =0.0.4, =1.0.9, =1.0.15 and more Source cves: CVE-2021-31597 Source advisory: OSV:GHSA-72MH-269X-7MH5...
GHSA-72MH-269X-7MH5 Improper Certificate Validation in xmlhttprequest-ssl
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
Improper Certificate Validation in xmlhttprequest-ssl
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
Arbitrary Code Injection
Overview In xmlhttprequest-ssl before 1.6.2 when requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run. Recommendation Upgrade to version 1.6.2 or later References CVE GitHub Advisory...
1tp (>=0.0.1 <=0.11.2), 2d-json-schema-editor-visual (>=1.0.2 <=1.0.7) +2806 more potentially affected by CVE-2020-28502 via xmlhttprequest-ssl (>=1.5.1 <=1.5.5)
xmlhttprequest-ssl NPM version =1.5.1, =0.0.1, =1.0.2, =1.0.1, =4.11.25, =0.1.3, =0.0.15, =8.25.29, =1.0.0, =0.0.4, =1.0.9, =1.0.15 and more Source cves: CVE-2020-28502 Source advisory: OSV:GHSA-H4J5-C7CJ-74XG...
GHSA-H4J5-C7CJ-74XG xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...
Certificate Validation Bypass
xmlhttprequest-ssl is vulnerable to certificate validation bypass. The vulnerability exists because rejectUnauthorized is set to false by default, leading to bypass of certificate validation in the https.request function of Node.js...
CVE-2021-31597
A flaw was found in xmlhttprequest-ssl for Node.js. SSL certificate validation is disabled by default, due to rejectUnauthorized when the property exists but is undefined being considered to be false within the https.request function of Node.js thus, no certificate is ever rejected. The highest...
CVE-2021-31597
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
AZL-45213 CVE-2021-31597 affecting package js-jquery 3.5.0-4
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
CVE-2021-31597
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
Input validation
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
UBUNTU-CVE-2021-31597
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
CVE-2021-31597
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...
CVE-2021-31597
The CVE-2021-31597 entry concerns the xmlhttprequest-ssl package for Node.js before version 1.6.1, which disables SSL certificate validation by default because rejectUnauthorized is treated as false when undefined. This allows potential MITM-style exposure since certificates are not rejected. Aff...
CVE-2020-28502
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...