Route Validation Bypass

Overview Affected versions of call do not validate empty parameters, which may result in a bypass of route validation rules. Proof of Concept Routing Scheme: /api/param/param2/details Triggering Request Path: /api/// Recommendation Update to version 3.0.2 or later. References - Issue 3228 - GitHu...

Regular Expression Denial of Service

Overview three before version 0.125.0 is vulnerable to Regular Expression Denial of Service ReDoS. This can happen when handling rgb or hsl colors. POC var three = require'three' function buildblank n var ret = "rgb" for var i = 0; i n; i++ ret += " " return ret + ""; var Color = three.Color var...

Malicious Package

Overview The package discord.dll contained malicious code. The package ran a postinstall script that exfiltrated local files such as browser local databases. The information was exfiltrated to a remote Discord webhook. Recommendation Remove the package from your system and rotate any credentials...

Malicious Package

Overview Version 1.0.910 of cordova-plugin-china-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.910 of this modul...

Cross-Site Scripting

Overview Versions of simple-server before 1.1.0 are vulnerable to stored cross-site scripting XSS. This is exploitable if an attacker can control a filename on the server. Recommendation Update to version 1.1.0 or later. References - HackerOne Report...

Path Traversal

Overview Versions of stattic before 0.3.0 are vulnerable to path traversal allowing a remote attacker to read arbitrary files with any extension from the server that users stattic. Recommendation Update to version 0.3.0 or later. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview Versions of anywhere before 1.5.0 are vulnerable to cross-site scripting XSS. Recommendation Update to version 1.5.0 or later. References - GitHub Issue 33 - HackerOne Report - GitHub Advisory...

Directory Traversal

Overview Affected versions of augustine resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Hijacked Environment Variables

Overview The mongose package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securit...

Hijacked Environment Variables

Overview The node-openssl package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Directory Traversal

Overview Affected versions of section2.madisonjbrooks12 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the...

Directory Traversal

Overview Affected versions of whispercast resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Directory Traversal

Overview Affected versions of pytservce resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of dcserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Downloads Resources over HTTP

Overview Affected versions of libsbmlsim insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

Downloads Resources over HTTP

Overview Affected versions of google-closure-tools-latest insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in...

Downloads Resources over HTTP

Overview Affected versions of poco insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Downloads Resources over HTTP

Overview Affected versions of apk-parser3 insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution ...

Downloads Resources over HTTP

Overview Affected versions of httpsync insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of grunt-webdriver-qunit insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of dalek-browser-ie-canary insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in cod...

Downloads Resources over HTTP

Overview Affected versions of iedriver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of selenium-download insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Cross-Site Scripting

Overview Affected versions of gitbook do not properly sanitize user input outside of backticks, which may result in cross-site scripting in the online reader. Recommendation Update to version 3.2.2 or later. References - Issue 1609 - GitHub Advisory...

Arbitrary Code Injection

Overview Affected versions of reduce-css-calc pass input directly to eval. If user input is passed into the calc function, this may result in cross-site scripting on the browser, or remote code execution on the server. Proof of Concept const reduceCSSCalc = require'reduce-css-calc';...

Verification Bypass

Overview Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm. Recommendation Update to version 4.2.2 or later...

Malicious Package

Overview electorn was removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: - IP and IP-based geolocation - home directory name - local username Recommendatio...

Malicious Package

Overview Version 3.1.1 of yeoman-genrator contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and ope...

Use-After-Free

Overview Versions of puppeteer prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium CVE-2019-5786. The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution. Recommendation Upgrade to version 1.13.0 or later. References - GitHub...

Regular Expression Denial of Service

Overview ssri 5.2.2-6.0.1 and 7.0.0-7.1.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. Recommendation...

Hijacked Environment Variables

Overview The node-fabric package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Directory Traversal

Overview Affected versions of gomeplus-h5-proxy resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Downloads Resources over HTTP

Overview Affected versions of libsbml insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on t...

Downloads Resources over HTTP

Overview Affected versions of clang-extra insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution ...

Downloads Resources over HTTP

Overview Affected versions of selenium-portal insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of redis-srvr insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

Downloads Resources over HTTP

Overview Affected versions of curses insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on th...

Downloads Resources over HTTP

Overview Affected versions of install-nw insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

Downloads Resources over HTTP

Overview Affected versions of chromedriver insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. This may result in arbitrary code execution if an attacker intercepts and modifies the downloaded...

Cross-Site Scripting

Overview Affected versions of swagger-ui are vulnerable to cross-site scripting via the url query string parameter. Recommendation Update to 2.2.1 or later. References - GitHub Issue - GitHub Advisory...

Cross-Site Scripting

Overview Affected versions of sanitize-html do not sanitize input recursively, which may allow an attacker to execute arbitrary Javascript. Recommendation Update to version 1.4.3 or later. References - Issue 29 - GitHub Advisory...

SQL Injection

Overview Affected versions of waterline-sequel are vulnerable to SQL injection in cases where user input is passed into the like, contains, startsWith, or endsWith methods. Recommendation Upgrade to at least version 0.5.1 References - Issue 1219 - PR 66 - GitHub Advisory...

SQL Injection

Overview Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability. Proof of Concept In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly...

Heap Based Buffer Overflow

Overview Versions 0.2.2 and earlier depend on native libyaml version 0.1.5 or earlier. As such, they are affected by a heap-based buffer overflow vulnerability that may result in a crash or arbitrary code execution when parsing YAML tags. Recommendation - Update to version 0.2.3 that includes a...

Improper Input Validation

Overview sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with...

Cross-Site Scripting

Overview react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS. Recommendation Upgrade to version 1.14.6 or later References - CVE - GitHub Advisory...

Prefix escape

Overview In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is...

Malicious Package

Overview loadyaml was removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: - IP and IP-based geolocation - home directory name - local username Recommendatio...

Signature Malleability

Overview The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature. Recommendation...

Cross-Site Scripting

Overview Versions of dompurify prior to 2.0.3 are vulnerable to Cross-Site Scripting XSS. The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of / elements and /. An example payload is: ". This allows attackers to bypass the XSS protection and...