Denial of Service

Overview Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer. Recommendation Update to version 2.1.0 or later. References -...

Regular Expression Denial of Service

Overview Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys. Recommendation Update to version 1.13.2, 1.14.1 or later. References - https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.jsL17 -...

Remote Code Execution

Overview GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. More information to...

Out-of-bounds Read

Overview Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator. Recommendation Update to version 1.0.6 or later. References - HackerOne Report - Source Reference - GitHub Advisory...

Cross-Site Scripting (XSS)

Overview Versions of cloudcmd before 9.1.6 are vulnerable to cross-site scripting XSS when listing files in a directory. The attacker must control the name of a file for this vulnerability to be exploitable. Recommendation Update to version 9.1.6 or later. References - HackerOne...

Denial of Service

Overview Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to denial of service when parsing crafted invalid .proto files. Recommendation Update to version 5.0.3, 6.8.6 or later. References - https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.jsL27 - HackerOne Report - GitHub...

Cross-Site Scripting

Overview All versions of bracket-template are vulnerable to stored cross-site scripting XSS. This is exploitable when a variable passed in via a GET parameter is used in a template. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use...

Command Injection

Overview Versions of whereis before 0.4.1 are vulnerable to command injection if untrusted user input is passed into whereis. Recommendation Update to version 0.4.1 or later. References - HackerOne Report - GitHub Commit 0f64e37 - GitHub Advisory...

Path Traversal

Overview Versions of express-cart before 1.1.7 are vulnerable to Path Traversal. Recommendation Update to version 1.1.7 or later. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview Versions of glance before 3.0.8 are vulnerable to Stored Cross-Site Scripting XSS. This is only exploitable if the attacker is able to control the name of a file that is served by the glance package. Recommendation Upgrade to version 3.0.8 or later. References - HackerOne Report - GitHub...

Prototype Pollution

Overview Versions of deap before 1.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.0.1 or later. References - HackerOne Report - GitHub Advisory...

Path Traversal

Overview All versions of simplehttpserver are vulnerable to Path Traversal. This vulnerability allows an attacker to access files outside the webroot since it allows symlink navigation in the URL. Recommendation No fix is currently available. Do not use simplehttpserver in production or consider...

Resource exhaustion in socket.io-parser

Overview The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used. Recommendation Upgrade to versions 3.3.2, 3.4.1 or later References - CVE - GitHub Advisory...

Multiple XSS Filter Bypasses

Overview Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the denylist-based filter. Proof of Concept Various inputs that could bypass the filter were discovered: Improper parsing of nested tags: This is a test...

Uncontrolled Resource Consumption in json-bigint

Overview Prototype pollution in json-bigint package 1.0.0 may lead to a denial-of-service DoS attack. Recommendation Upgrade to version 1.0.0 or later References - CVE - GitHub Advisory...

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within t...

Cross-Site Scripting

Overview Versions of jquery prior to 3.5.0 are vulnerable to Cross-Site Scripting. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute arbitrary JavaScript in a victim's browser. Recommendation...

Prototype Pollution

Overview Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payloa...

Regular expression denial of service

Overview glob-parent before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator. Recommendation Upgrade to version 5.1.2 or later References - CVE - GitHub Advisory...

Deserialization of Untrusted Data in bson

Overview Versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. Recommendation Upgrade to version 1.1.4 or...

Cross-Site Scripting

Overview Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove "" HTML tags that contain a whitespace character, i.e: "", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary...

Command Injection

Overview lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Recommendation Upgrade to version 4.17.21 or later References - CVE - GitHub Advisory - Snyk Advisory...

Cross-Site Scripting

Overview Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting XSS. The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. Recommendation For bootstrap 4.x...

Prototype Pollution

Overview Versions of angular prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendatio...

Command Injection

Overview There is a command injection vulnerability in affected versions of total.js. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using childprocess.spawn. The issue occurs because childprocess.spawn is calle...

Reflected Cross-Site Scripting

Overview There is an XSS vulnerability in affected versions of auth0-lock. Overview Versions before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's - flashMessage feature is utilized and user input or data from URL parameters is...

Cross-site scripting in bootstrap-select

Overview bootstrap-select before 1.13.6 allows Cross-Site Scripting XSS. It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 1.13.6 or later References - CVE - GitHub Advisory...

Prototype pollution in chart.js

Overview In chart.js before version 2.9.4 the options parameter is not properly sanitized when it is processed. When the options are processed, the existing options or the defaults options are deeply merged with provided options. However, during this operation, the keys of the object being set ar...

Sandbox Breakout / Arbitrary Code Execution

Overview Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...

Stored Cross-Site Scripting

Overview All versions of simplehttpserver are vulnerable to stored cross-site scripting XSS. To be exploited an attacker needs to control the filename of a file that is used in the directory listing output. Recommendation No fix is currently available for this vulnerability. It is our...

Regular Expression Denial of Service in path-parse

Overview Affected versions of path-parse are vulnerable to Regular Expression Denial of Service ReDoS via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. Recommendation Upgrade to version 1.0.7 or later References - CVE - GitH...

Misinterpretation of malicious XML input

Overview Impact xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Workarounds...

VBScript Content Injection

Overview Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set. Proof of Concept IE10 Compatibility Mode Only xss link will get a link xss link Recommendation Update to version 0.3.3 or later. References - Issue 492 - GitHub Advis...

Remote code execution when compiling templates

Overview handlebars before 4.7.7 are vulnerable to Remote Code Execution RCE when selecting certain compiling options to compile templates coming from an untrusted source. Recommendation Upgrade to version 4.7.7 or later References - CVE - GitHub Advisory...

Exfiltrates Discord login tokens to pastebin

Overview The discordi.js package is malware that attempts to discover and exfiltrate a user's Discord credentials, sending them to pastebin. All versions have been unpublished from the npm registry. Recommendation Do not install / use this module. It has been unpublished from the npm registry but...

Cross-Site Scripting

Overview Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted. Proof of Concept Template: Input: 'foo' : 'test.com onload=alert1' Rendered result: Recommendation Update to version 4.0.0 or later...

Directory Traversal

Overview Affected versions of sencisho are vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this...

Directory Traversal

Overview Affected versions of serverlyr resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Remote Memory Disclosure

Overview Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability. In certain rare circumstances, applications which allow users to control the arguments of a client.ping call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server...

Remote Code Execution

Overview Affected versions of pg contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name. There are two specific scenarios in which it is likely for an application to be vulnerable: 1. The application executes unsafe, user-suppli...

Cross-site scripting

Overview Two kinds of XSS were found in affected versions of mongo-express. 1. As mentioned in https://github.com/mongo-express/mongo-express/issues/577 when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin...

Open Redirect

Overview Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain...

Bypassing Sanitization using DOM clobbering

Overview All versions of html-janitor are vulnerable to cross-site scripting XSS. Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous XSS in case user-controlled input is passed to the clean function." Recommendation Upgrade to version 2.0.4 or later. Reference...

Incorrect Handling of Non-Boolean Comparisons During Minification

Overview Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification. Recommendation Upgrade UglifyJS to version = 2.4.24. References - Backdooring JS - Yan Zhu@bcrypt - Issue 751 - GitHub Advisory...

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Overview The tar package has a high severity vulnerability before versions 3.2.2, 4.4.14, 5.0.6, and 6.1.1. Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths...

Prototype Pollution

Overview Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all objects...

Sanitization Bypass

Overview A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function...

Server-Side Request Forgery

Overview The axios NPM package before 0.21.1 contains a Server-Side Request Forgery SSRF vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. Recommendation Upgrade to 0.21.1 or later. References - Github...

Directory Traversal

Overview serverwg is a simple http server. serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo and response: HTTP/1.1 200 OK Date: Wed, 17 M...

Regular Expression Denial of Service (ReDoS)

Overview jspdf before version 2.3.1 has a regular expression denial-of-service via the addImage function. Recommendation Upgrade to version 2.3.1 or later References - CVE - GitHub Advisory...