Directory Traversal

Overview Affected versions of qinserve resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of ltt resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Examp...

Header Forgery

Overview Affected versions of http-signature contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of http-signature...

Downloads Resources over HTTP

Overview Affected versions of pm2-kafka insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of xd-testing insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

Downloads Resources over HTTP

Overview Affected versions of embedza insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on t...

Downloads Resources over HTTP

Overview Affected versions of haxe insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Improperly Controlled Modification of Object Prototype Attributes

Overview think-logic before version 1.1.3 has a prototype pollution vulnerability. Impact The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object...

Hostname spoofing via backslashes in URL

Overview Impact urijs before version 1.19.6 is affected by hostname spoofing issue. If using urijs to determine a URL's hostname, the hostname can be spoofed by using a backslash \ character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, th...

Regular Expression Denial of Service

Overview prismjs versions before 1.23.0 are vulnerable to Regular Expression Denial of Service ReDoS via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. Recommendation Upgrade to version 1.23.0 or later References - Snyk Advisory - GitHub Advisory - CVE...

Regular Expression Denial of Service

Overview date-and-time is a package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. Recommendation Upgrade to version version 0.14.2 or later. References - GitHub Advisor...

Denial of Service

Overview Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are...

Insufficient Entropy

Overview Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits method does not provide sufficient entropy and its generates digits that are not evenly distributed. Recommendation Upgrade to version 4.1.2. The package is deprecated and has been moved to...

Prototype Pollution

Overview Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects...

Hijacked Environment Variables

Overview The noderequest package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Hijacked Environment Variables

Overview The ffmepg package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real security...

Directory Traversal

Overview Affected versions of getcityapi.yoehoehne resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the...

Directory Traversal

Overview Affected versions of jnjjserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of elding resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Th...

Command Execution

Overview Version of windows-cpu before 0.1.5 will execute arbitrary code passed into the first argument of the findLoad method, resulting in remote code execution. Proof of Concept var win = require'windows-cpu'; wind.findLoad'foo & calc.exe'; Recommendation Update to version 0.1.5 or later...

Cross-Site Scripting

Overview Affected versions of i18next allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability. Proof of Concept var init = i18n.initdebug: true, function var test = i18n.t'firstName lastName', escapeInterpolation: true, firstName:...

Downloads Resources over HTTP

Overview Affected versions of react-native-baidu-voice-synthesizer insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one,...

Downloads Resources over HTTP

Overview Affected versions of haxeshim insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of massif insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on th...

Downloads Resources over HTTP

Overview Affected versions of co-cli-installer insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Broken CORS

Overview Affected versions of sails have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This may allow an attacker to make AJAX requests to vulnerable hosts through cross-site scripting or a malicious...

Cross-Site Scripting

Overview Versions of mustache prior to 2.2.1 are affected by a cross-site scripting vulnerability when attributes in mustache templates are not quoted. Example Template: Input: 'foo' : 'test.com onload=alert1' Rendered result: Recommendation Update to version 2.2.1 or later. Alternatively, ensure...

Authentication Weakness

Overview Versions of keystone prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted...

No Charset in Content-Type Header

Overview Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standa...

Regular Expression Denial of Service

Overview Versions 0.3.3 and earlier of marked are affected by a regular expression denial of service ReDoS vulnerability when passed inputs that reach the em inline rule. Recommendation Update to version 0.3.4 or later. References - Regular Expression Denial of Service - OWASP - Issue 497 - GitHu...

Cross-Site Scripting bypass

Overview All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. Recommendation No fix is currently available. Consider using an alternative package until a fix is...

Malicious Package

Overview All versions of nodetest1010 contain malicious code. Upon installation the package opens a shell to a remote server. The package affects both Windows and nix systems. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secret...

Improper Verification of Cryptographic Signature

Overview Versions of jsrsasignprior to 8.0.17 fail to properly verify cryptographic signatures. Its RSASSA-PSS RSA-PSS implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature it accepts these modified signatures as valid. An attacker can abuse th...

Command Injection

Overview All versions of npm-programmatic are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the install, uninstall and list functions . This may allow attackers to execute arbitrary code in the system if the package name passe...

Hijacked Environment Variables

Overview The nodeffmpeg package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Hijacked Environment Variables

Overview The sqliter package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securit...

Directory Traversal

Overview Affected versions of utahcityfinder resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Cross-Site Scripting

Overview Affected versions of morris.js are vulnerable to cross-site scripting attacks in labels that appear when hovering over a particular point on a generated graph. The text content of these labels is not escaped, so if control over the labels is obtained, script can be injected. The script...

Downloads Resources over HTTP

Overview Affected versions of windows-latestchromedriver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in...

Downloads Resources over HTTP

Overview Affected versions of pk-app-wonderbox insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of go-ipfs-deps insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on...

Insecure Defaults Allow MITM Over TLS

Overview Affected versions of engine.io-client do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks. The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, such as...

Arbitrary File Write

Overview Affected versions of cli use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the cli process has permission to write to. Proof of...

Cross-Site Scripting (XSS)

Overview In affected versions of hellojs hello.js there is a cross-site scripting bug. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. It is possible to simply pass some XSS payloads into the url param oauthredirect, such as...

Remote Code Execution

Overview MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The...

Cross-Site Scripting

Overview Affected versions of react-dom are vulnerable to Cross-Site Scripting XSS. The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be...

Hijacked Environment Variables

Overview The proxy.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securi...

Directory Traversal

Overview Affected versions of ewgaddis.lab6 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Directory Traversal

Overview Affected versions of wintiwebdev resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Arbitrary Code Injection

Overview mobile-icon-resizer resizes large images for use as icons for iOS and Android. mobile-icon-resizer has a code execution vulnerability in versions before 0.4.3. mobile-icon-resizer takes an options object as an argument to define the resulting icons as such: var options = config:...