Lucene search
K

4072 matches found

Huntr
Huntr
•added 2020/05/23 12:0 a.m.•20 views

Code Injection in domharrington/node-gitlog

Description The gitlogplus module is vulnerable against an arbitrary command injection issue which is made possible since some user-inputs are executed inside a command which doesn't have validations of any kind. POC 1. Create the following PoC file: js // poc.js var git = require'gitlogplus';...

1.9AI score
Exploits0
Huntr
Huntr
•added 2020/05/08 12:0 a.m.•11 views

Command Injection in forsigner/node-pngdefry

Overview Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks...

6.5AI score
Exploits0References1
Huntr
Huntr
•added 2020/05/08 12:0 a.m.•16 views

Command Injection in thebeet/idevicekit

Overview Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks. There is a possible bypass of the checkSerial function leading to malicious serial variable content...

6.7AI score
Exploits0References1
Huntr
Huntr
•added 2020/05/08 12:0 a.m.•11 views

Code Injection in vishwanatharondekar/gitlab-cli

Description The git-lab-cli module is vulnerable against RCE since a command is crafted using user inputs not validated and then executedading to arbitrary command injection POC 1. Check there aren't files called HACKED 2. Execute the following commands in another terminal: bash npm i git-lab-cli...

2.3AI score
Exploits0
Huntr
Huntr
•added 2020/05/04 12:0 a.m.•30 views

Command Injection in zaach/jison

Overview jison is a package that provides an API for creating parsers in JavaScript. Affected versions of this package are vulnerable to Command Injection. Arbitrary OS shell command execution is possible through a crafted command-line argument...

10CVSS4.9AI score0.03633EPSS
Exploits1References1
Huntr
Huntr
•added 2020/05/02 12:0 a.m.•14 views

Code Injection in courajs/node-svn

Description The svn module is vulnerable against RCE since a command is crafted using user inputs not validated and then executedading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var SVN = require'svn'; var svn = new SVN'./workingcopy'; svn.info"test; touch...

2.3AI score
Exploits0
Huntr
Huntr
•added 2020/05/02 12:0 a.m.•19 views

Code Injection in easy-team/node-tool-utils

Description The node-tool-utils module is vulnerable against RCE since a command is crafted using user inputs not validated and then executedading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js const tool = require'node-tool-utils'; tool.checkPortUsed"test; touc...

2.5AI score
Exploits0
Huntr
Huntr
•added 2020/05/02 12:0 a.m.•58 views

Code Injection in timstudd/node-wkhtmltoimage

Description The wkhtmltoimage module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var wkhtmltoimage = require'wkhtmltoimage';...

1.7AI score
Exploits0
Huntr
Huntr
•added 2020/04/21 12:0 a.m.•11 views

Code Injection in sidorares/node-wrk

Description The wrk module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var wrk = require'wrk'; wrk threads: 1, connections: 's','aaa', duration:...

1.8AI score
Exploits0
Huntr
Huntr
•added 2020/04/19 12:0 a.m.•19 views

Code Injection in rapidfacture/pdf-toolz

Description The pdf-toolz module is vulnerable against arbitrary command injection due to the fact some inputs given by the user are unsafely processed and executed. POC 1. Create the following PoC file: js // poc.js var pdf = require'pdf-toolz/PDF2Image'; pdf.pdfToImage"a", "test; touch HACKED; ...

2AI score
Exploits0
Huntr
Huntr
•added 2020/04/14 12:0 a.m.•45 views

Code Injection in elwerene/libreoffice-convert

Description The libreoffice-convert module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js const libre = require'libreoffice-convert'; libre.convert'',...

1.9AI score
Exploits0
Huntr
Huntr
•added 2020/04/13 12:0 a.m.•15 views

Code Injection in heroku/heroku-exec-util

Description The heroku-exec-util module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var heu = require'heroku-exec-util'; heu.sshargs:,'test; touch...

2AI score
Exploits0
Huntr
Huntr
•added 2020/04/03 12:0 a.m.•14 views

Command Injection in ionicabizau/node-gry

Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. Proof of Concept Credit: Mik317 1. Create the following PoC file: js // poc.js const Repo = require"gry"; var myRepo = new Repo"."; myRepo.pull"test; touch HACKED; ", function...

1.3AI score
Exploits0
Huntr
Huntr
•added 2020/04/03 12:0 a.m.•14 views

Command Injection in joeyism/node-git-lib

Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. Proof of Concept Credit: Mik317 1. Create the following PoC file: js // poc.js var git = require"git-lib"; git .add"test;touch HACKED;" .thenfunction / successfully added /...

1.3AI score
Exploits0
Huntr
Huntr
•added 2020/04/03 12:0 a.m.•14 views

Cross-Site Request Forgery (CSRF) in tuhinshubhra/extanalysis

Overview The ExtAnalysis project is vulnerable against various CSRFs, that could lead to loss of functionalities and placement of malicious files in arbitrary directories without knowledge of the victim. Proof of Concept Credit: Mik317 1. Download the git project and run the server through the...

0.7AI score
Exploits0
Huntr
Huntr
•added 2020/04/03 12:0 a.m.•18 views

Code Injection in keymetrics/vizion

Overview The issue is an RCE triggerable via the module. This is possible because in the https://github.com/keymetrics/vizion/blob/master/lib/git/git.jsL228 line, the git reset --hard command is concatenated with a unsanitized input: js var command = cliCommandargs.folder, "git reset --hard " +...

0.9AI score
Exploits0References1
Huntr
Huntr
•added 2020/04/02 12:0 a.m.•13 views

Command Injection in node-virtualization/node-virtualbox

Overview The issue occurs because a user input is formatted inside a command that will be executed without any check...

4.2AI score
Exploits0
Huntr
Huntr
•added 2020/03/27 12:0 a.m.•17 views

Command Injection in zamotany/logkitty

Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. Proof of Concept Credit: Mik317 1. Check there aren't files called HACKED 2. Execute the following commands in another terminal: bash npm i logkitty Install affected module logkit...

7.5CVSS2.1AI score0.0201EPSS
Exploits1
Huntr
Huntr
•added 2020/03/27 12:0 a.m.•21 views

Command Injection in quobject/aws-cli-js

Overview The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here. Proof of Concept Credit: Mik317 1. Create the following PoC file: js // poc.js var awsCli = require"aws-cli-js"; var Options = awsCli.Options; var Aws =...

1.7AI score
Exploits0
Huntr
Huntr
•added 2020/02/21 12:0 a.m.•38 views

Code Injection in commenthol/safer-eval

Overview safer-eval is a safer approach for eval in node and browser. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError: Maximum call stack size exceeded. Proof of Concept Credit: Jonathan Leitschuh js const theFunction = function const f =...

7.5CVSS1.5AI score0.02574EPSS
Exploits1References3
Huntr
Huntr
•added 2019/11/02 12:0 a.m.•90 views

Code Injection in mateodelnorte/meta-git

Description The meta-git module is vulnerable against command injection since the user-supplied inputs are concatenated with a command which is executed without validation. POC 1. Create a new directory and insert some test files: bash mkdir tests cd tests touch test touch secret touch files 2...

1.1AI score
Exploits0
Huntr
Huntr
•added 2019/08/18 12:0 a.m.•15 views

Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling

Overview Boxbilling is a free billing & client management software Affected versions of this software are vulnerable to Cross-site Scripting XSS. It is possible to inject JavaScript with object decoding such as alert1 resulting in XSS. Technical Description if we look in...

1.9AI score
Exploits0References2
Total number of security vulnerabilities4072