Cross-Site Scripting

Overview Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting XSS. The package does not sanitize URL parameters in the testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to versio...

Hijacked Environment Variables

Overview The babelcli package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real securi...

Hijacked Environment Variables

Overview The d3.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real security...

Hijacked Environment Variables

Overview The sqlserver package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Directory Traversal

Overview Affected versions of jansenstuffpleasework resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the...

Directory Traversal

Overview Affected versions of f2e-server resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Cross-Site Scripting

Overview Affected versions of i18next may fail to sanitize user input when certain configuration options are used. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. Proof of Concept var init = i18n.ini...

Downloads Resources over HTTP

Overview Affected versions of prebuild-lwip insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on...

Downloads Resources over HTTP

Overview Affected versions of baryton-saxophone insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview operadriver is a Opera Driver for Selenium. operadriver versions below 0.2.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if t...

Downloads Resources over HTTP

Overview apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an...

Downloads Resources over HTTP

Overview Affected versions of arrayfire-js insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution...

Downloads Resources over HTTP

Overview Affected versions of geoip-lite-country insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and...

Downloads Resources over HTTP

Overview Affected versions of webrtc-native insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...

Cross-Site Scripting

Overview Affected versions of sanitize-html are vulnerable to cross-site scripting. Proof of Concept: produces the following: This is definitely invalid HTML, but would suggest that it's being interpreted incorrectly by the parser. Recommendation Update to version 1.2.3 or later. References - Iss...

Cross-Site Scripting

Overview Affected versions of nunjucks do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability. Proof of Concept By using an array for the keys in a template var, escaping is bypassed. javascript name=aler...

Cross-Site Scripting

Overview Affected versions of swagger-ui contain a cross-site scripting vulnerability in the key names of a specific nested object in the JSON document. Proof of Concept The vulnerable object structure is: "definitions": "arbitraryVal": "properties": "": "LoremIpsum" Malicious JSON documents can ...

SQL Injection

Overview Affected versions of sequelize are vulnerable to SQL Injection in locations where user input is passed into the limit or order parameters of sequelize query calls, such as findOne or findAll. Recommendation Update to version 3.17.0 or later. References - PR 5167 - Commit f282d8 - GitHub...

SSL Validation Defaults to False

Overview Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default. This could allow an attacker with a privileged network position to launch a Man In The Middle MITM attack on the install process, intercepting the step where...

Forgeable Public/Private Tokens

Overview Affected versions of the jwt-simple package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT, the en...

Arbitrary JavaScript Execution

Overview A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater. References - Commit b751602 - GitHub Advisory...

Potential for Script Injection

Overview Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified. Recommendation Update to version 1.1.1 or later. References - Browserify 4.2.1 Update - GitHub Advisory...

Cross-Site Scripting (XSS)

Overview docsify prior to 4.11.4 is susceptible to Cross-site Scripting XSS. Docsify.js uses fragment identifiers parameters after sign to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the // domain.com///attacker.com and...

Improper Input Validation

Overview sanitize-html before 2.3.1 does not properly handle internationalized domain name IDN which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option. Recommendation Upgrade to version 2.3.1 or later References - CVE - GitHub Advisory...

Prefix escape

Overview In fastify-http-proxy before version 4.3.1, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is...

DOM-based XSS

Overview Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection. For Passwordless connection, the value of the input email or phone number is displayed back to the user while waiting for...

Malicious 󠅮󠅰󠅭Package

Overview All versions of 1337qq-js contain malicious code. The package exfiltrates sensitive information through install scripts. It targets UNIX systems. The information exfiltrated includes: - Environment variables - Running processes - /etc/hosts - uname -a - npmrc file Recommendation Remove t...

Denial of Service

Overview All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server. Recommendation No fix is currently available. Consider using an alternativ...

Cryptographically Weak PRNG

Overview Versions of generator-jhipster use a Cryptographically Weak PRNG that may lead to account takeover. The package uses a cryptographically insecure method to generate password reset links, which allows an attacker to guess password reset links and takeover accounts. Recommendation Update t...

Forced Logout

Overview Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /klogout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely. Recommendation Upgrade to...

Signature Verification Bypass

Overview Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 symmetric algorithm JWT with the server's...

Command Injection

Overview Versions of ps before 1.0.0 are vulnerable to command injection. Proof of concept: var ps = require'ps'; ps.lookup pid: "$touch success.txt" , functionerr, proc // this method is vulnerable to command injection if err throw err; if proc console.logproc; // Process name, something like...

Path Traversal

Overview Versions of hekto before 0.2.3 are vulnerable to path traversal. This allows a remote attacker to read content of arbitrary files. Recommendation Update to version 0.2.3 or later. References - HackerOne Report - GitHub Advisory...

Directory Traversal

Overview Affected versions of featurebook resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Hijacked Environment Variables

Overview The smb package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real security...

Hijacked Environment Variables

Overview The node-tkinter package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Directory Traversal

Overview Affected versions of 11xiaoli resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of caolilinode resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Directory Traversal

Overview Affected versions of wangguojing123 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

Downloads Resources over HTTP

Overview Affected versions of ipip-coffee insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. This could impact the integrity and availability of the data being used to make geolocation decision...

Downloads Resources over HTTP

Overview Affected versions of serc.js insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on t...

Downloads Resources over HTTP

Overview Affected versions of limbus-buildgen insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of rs-brightcove insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...

Downloads Resources over HTTP

Overview Affected versions of wixtoolset insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

Downloads Resources over HTTP

Overview Affected versions of herbivore insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Downloads Resources over HTTP

Overview Affected versions of webdriver-launcher insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Local Privilege Escalation

Overview Affected versions of npm use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the npm process has permission t...

SQL Injection

Overview Affected versions of sequelize use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability. Recommendation Update to version 1.7.0-alpha3 or later. References - Commit...

Cross-Site Scripting

Overview Affected versions of backbone are vulnerable to cross-site scripting when users are allowed to supply input to the ModelEscape function, and the output is then written to the DOM. The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take...

Unsafe Merging of CORS Configuration Conflict

Overview Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended. Recommendation Update hapi to...