Lucene search
+L
NodejsMost viewed

1635 matches found

Node.js
Node.js
added 2019/06/07 7:17 p.m.15 views

Malicious Package

Overview Version 0.4.20 of motiv.scss contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/07 6:59 p.m.15 views

Malicious Package

Overview Version 0.0.3 of angular-location-update contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your...

7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/05 2:14 p.m.15 views

Command Injection

Overview Versions of wiki-plugin-datalog prior to 0.1.6 are vulnerable to Command Injection. The package failed to sanitize URLs on the curl endpoint, allowing attackers to inject commands and possibly achieving Remote Code Execution on the system. Recommendation Upgrade to version 0.1.6 or later...

7.7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/04 10:49 p.m.15 views

Malicious Package

Overview All versions of commmander contain malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Recommendation Remove the packag...

7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/03 9:34 p.m.15 views

Sensitive Data Exposure

Overview Versions of loopback prior to 3.26.0 3.x and 2.42.0 2.x are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. Recommendation If you'...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/03 6:9 p.m.15 views

Malicious Package

Overview Version 1.0.0 of rimrafall contains malicious code as a preinstall script. The package attempts to remove all files in the system's root folder. Recommendation If you installed this package it is likely your machine was erased. If not, remove the package from your system and verify if an...

7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/03 3:27 p.m.15 views

Malicious Package

Overview All versions of tensorplow contain malicious code as a preinstall script. When installed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation Any computer that has this package installed or running should be considered fully compromised. A...

7.6AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/31 8:56 p.m.15 views

Malicious Package

Overview Version 1.5.3 of colour-string contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secret...

7.1AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/31 8:56 p.m.15 views

Malicious Package

Overview Version 9.0.0 of colro-name contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets a...

7.1AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/16 11:59 p.m.15 views

Malicious Package

Overview The package donotinstallthis contained malicious code. The package contained a script that was run as part of the install script. The script contacted a remote service tracking how many installations were done. There is no further compromise. Recommendation Remove the package from your...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/06 5:53 p.m.15 views

Cross-Site Scripting

Overview All versions of wangeditor are vulnerable to Cross-Site Scripting. The package fails to properly encode output, allowing arbitrary JavaScript to be inserted in links and executed by browsers. Recommendation No fix is currently available. Consider using an alternative module until a fix i...

6.7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/06 2:43 p.m.15 views

Malicious Package

Overview All versions of discorddebuglog contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environment...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/06 2:19 p.m.15 views

Malicious Package

Overview All versions of equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/06 2:12 p.m.15 views

Malicious Package

Overview All versions of requeest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/06 2:10 p.m.15 views

Malicious Package

Overview All versions of eact typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/06 2:8 p.m.15 views

Malicious Package

Overview All versions of commnader typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether th...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/05/06 2:3 p.m.15 views

Malicious Package

Overview All versions of asymc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/04/10 7:2 p.m.15 views

Code Injection

Overview Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the...

7.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/04/04 3:20 a.m.15 views

Path Traversal

Overview Versions of servey prior to 3.x are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to the latest version References - HackerOne Report - GitHub Advisory...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/03/28 9:15 p.m.15 views

Denial of Service

Overview Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later. References GitHub Advisory...

7AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/03/18 9:29 p.m.15 views

Denial of Service

Overview Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Recommendation Upgrade to version 3.13.0. References GitHub Advisory...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/02/15 9:44 p.m.15 views

Regular Expression Denial of Service

Overview Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service ReDoS. Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade t...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/01/11 9:6 p.m.15 views

Malicious Package

Overview All versions of portionfatty12 are considered malicious. The package is malware designed to steal user's data. When installed it uploads the user's public SSH keys to a remote server. Recommendation This package is not available on the npm Registry anymore. If you happen to find this...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/01/09 1:34 p.m.15 views

Cryptographically Weak PRNG

Overview Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords. Recommendation Update to version 1.4.1 or later. References - GitHub Pull - GitHub Advisory...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/01/04 9:21 p.m.15 views

Remote Code Execution

Overview All versions of office-converter are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution. Recommendation No fix is currently available. Consider usi...

7.4AI score
Exploits0Affected Software1
Node.js
Node.js
added 2018/11/08 8:48 p.m.15 views

Denial of Service

Overview All versions of ircdkit are vulnerable to remote denial of service. Recommendation As no current fix is available if you rely on ircdkit in production it might be best to consider another module. References - GitHub Issue - GitHub Advisory...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2018/08/24 1:33 a.m.15 views

Improper Key Verification

Overview Versions 0.1.1 or 0.1.2 of ipns are vulnerable to improper key validation. This is due to the public key verification was not being performed properly, resulting in any key being valid. Recommendation Update to version 0.1.3 or later. References -...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2018/08/09 6:54 p.m.15 views

Malicious Package

Overview All versions of soket.js are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation...

7.5AI score
Exploits0Affected Software1
Node.js
Node.js
added 2018/05/15 11:51 p.m.15 views

Malicious Package

Overview Version 1.0.7 of xoc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.7 of this module is found installed you wil...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2018/05/15 11:48 p.m.15 views

Malicious Package

Overview Version 0.4.8 of s3asy contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.4.8 of this module is found installed you...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2018/05/15 11:46 p.m.15 views

Malicious Package

Overview Version 0.0.7 of react-server-native contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.7 of this module is found...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2018/05/15 11:40 p.m.15 views

Malicious Package

Overview Version 0.1.1 of modlibrary contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.1.1 of this module is found installed...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2020/02/17 2:33 p.m.14 views

Prototype Pollution

Overview Versions of @commercial/subtext prior to 5.1.2 are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2020/02/14 10:15 p.m.14 views

HTML Injection

Overview All versions of marky-markdown are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is youtube.com but it is possible to bypass the validation with sources where youtube.com is the sub-domain, such as youtube.com.evil.co. This...

7.2AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/12/11 5:25 p.m.14 views

Command Injection

Overview All versions of treekill are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation No fix i...

7.1AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/12/03 6:26 p.m.14 views

Command Injection

Overview Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade t...

7.1AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/27 10:14 p.m.14 views

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/27 10:14 p.m.14 views

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.5AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/27 10:14 p.m.14 views

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/27 10:14 p.m.14 views

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/27 10:14 p.m.14 views

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/27 10:14 p.m.14 views

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/13 3:28 p.m.14 views

Malicious Package

Overview All versions of sj-labc contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/11/06 6:54 p.m.14 views

Malicious Package

Overview All versions of owl-orchard-apple-sunshine contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored ...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/10/25 6:7 p.m.14 views

Malicious Package

Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/10/25 6:7 p.m.14 views

Malicious Package

Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/10/25 6:6 p.m.14 views

Malicious Package

Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/10/25 6:6 p.m.14 views

Malicious Package

Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/10/25 5:54 p.m.14 views

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/10/25 5:54 p.m.14 views

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

6.9AI score
Exploits0Affected Software1
Total number of security vulnerabilities1635