Lucene search
+L
NodejsMost viewed

1635 matches found

Node.js
Node.js
•added 2015/10/17 7:41 p.m.•68 views

Rosetta-Flash JSONP Vulnerability

Overview This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to...

4.3CVSS1.3AI score0.23024EPSS
Exploits4Affected Software1
Node.js
Node.js
•added 2021/06/10 5:26 p.m.•67 views

Uncontrolled Resource Consumption in locutus

Overview locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service ReDoS via the gopherparsedir function. Recommendation Upgrade to version 2.0.15 or later References - CVE - GitHub Advisory...

5CVSS5.3AI score0.01936EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/05/24 7:56 p.m.•67 views

Improper Verification of Cryptographic Signature

Overview The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever...

7.5CVSS4.5AI score0.02056EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/04/12 6:50 p.m.•67 views

Improper Certificate Validation

Overview Version 1.2.0 of mongodb-client-encryption does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service...

4.3CVSS3.8AI score0.00204EPSS
Exploits0
Node.js
Node.js
•added 2021/03/12 11:3 p.m.•67 views

Improper Neutralization of Special Elements used in a Command

Overview In madge before version 4.0.1 it is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image, .svg or .dot functions are called, is executed by the childprocess.exec function. Recommendation Upgrade to version 4.0.1 or later References - GitH...

7.5CVSS9.4AI score0.02057EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/10/24 9:37 p.m.•67 views

Silently Runs Cryptocoin Miner

Overview Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/03/09 11:1 p.m.•67 views

HTML Injection

Overview Affected versions of shout do not escape the /topic command in messages, and are therefore vulnerable to cross-site scripting. Recommendation Update to version 0.50.0 or later. References - PR 344 - GitHub Advisory...

4.3CVSS3.9AI score0.01015EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/01 7:18 p.m.•67 views

Downloads Resources over HTTP

Overview Affected versions of ikst insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...

4.3CVSS4.7AI score0.00655EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/01 12:16 a.m.•67 views

Downloads Resources over HTTP

Overview Affected versions of jser-stat insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on th...

6.8CVSS2.6AI score0.00644EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/11/09 8:3 p.m.•67 views

Cryptographically Weak PRNG

Overview Affected versions of randomatic generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended. Recommendation Update to version 3.0.0 or later. References - Commit 4a52695 - GitHub Advisory...

5CVSS3.7AI score0.0135EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•67 views

methodOverride Middleware Reflected Cross-Site Scripting

Overview Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "method" post key or with the header "x-http-method-override". Because the user post input was not...

4.3CVSS0.9AI score0.01435EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/04/19 3:8 p.m.•66 views

Observable timing discrepancy

Overview Overview Affected versions of jose are vulnerable to a Padding Oracle Attack due to Observable Timing Discrepancy. Impact AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...

4.3CVSS5.6AI score0.01167EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/24 3:3 a.m.•66 views

Cross-Site Scripting (XSS)

Overview apexcharts is a modern JavaScript charting library to build interactive charts and visualizations with simple API. Affected versions of this package are vulnerable to Cross-site Scripting XSS via lack of sanitization of graph legend fields. Recommendation Upgrade to version 3.24.0 or...

4.3CVSS6.2AI score0.0137EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/14 6:28 p.m.•66 views

Directory Traversal

Overview Affected versions of open-device resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/05/07 4:48 p.m.•65 views

SQL Injection

Overview Prototype pollution vulnerability in the typeorm package 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. Recommendation Upgrade to version 0.2.25 or later References - CVE - GitHub Advisory...

7.5CVSS6.3AI score0.0212EPSS
Exploits2Affected Software1
Node.js
Node.js
•added 2021/02/24 3:18 a.m.•65 views

Token Verification Bug

Overview Impact next-auth implementations using the Prisma database adapter with the Email provider are impacted. Implementations using the Prisma database adapter that are not using the Email provider are not impacted. Implementations using the default database adapter TypeORM with the Email...

4.3CVSS5.7AI score0.01667EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/02/23 2:17 a.m.•65 views

Prototype Pollution

Overview A prototype pollution vulnerability in affected versions of 'dotty' allows attackers to cause a denial of service and may lead to remote code execution. Recommendation Update to version 0.1.1 or later References - GitHub Advisory - CVE...

7.5CVSS9.4AI score0.03337EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2020/10/08 10:14 p.m.•65 views

Sensitive data exposure in NATS

Overview Preview versions of two NPM packages and one Deno package from the NATS project contain an information disclosure flaw, leaking options to the NATS server; for one package, this includes TLS private credentials. The connection configuration options in these JavaScript-based implementatio...

5CVSS1.4AI score0.01476EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/06/28 6:33 p.m.•64 views

Regular Expression Denial of Service

Overview In prismjs before 1.24.0 some languages are vulnerable to Regular Expression Denial of Service ReDoS. Impact When Prism is used to highlight untrusted user-given text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to...

4.3CVSS1.9AI score0.01433EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/07 4:50 p.m.•64 views

OS Command Injection in ng-packagr

Overview ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option. Recommendation Upgrade to version 10.1.1 or later References - CVE - GitHub Advisory...

6.5CVSS4.7AI score0.0239EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/06 5:30 p.m.•64 views

Prototype Pollution in property-expr

Overview property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function. Recommendation Upgrade to version 2.0.3 or later References - CVE - GitHub Advisory...

7.5CVSS5.1AI score0.03376EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/04/12 6:41 p.m.•64 views

Prototype Pollution

Overview Prototype pollution vulnerability in set-or-get version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 1.2.11 or later References - CVE - WhiteSource Advisory...

7.5CVSS7.2AI score0.04197EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/02/23 2:11 a.m.•64 views

Denial of Service

Overview Impact Some regexes are vulnerable to regular expression denial of service REDoS due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTPS request to maliciously crafted long strings. Patches Please update uap-core t...

5CVSS3.1AI score0.02517EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/19 5:33 p.m.•64 views

Command Injection in buns

Overview There is a command injection vulnerability in all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function installrequestedModule. Recommendation As there is no fixed version for buns and the package is marked deprecated, th...

7.5CVSS5.1AI score0.01583EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2020/02/10 7:9 p.m.•64 views

Prototype Pollution Protection Bypass

Overview Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing or may bypass the prototype pollution protectio...

5CVSS3.8AI score0.02395EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2018/04/20 9:52 p.m.•64 views

Failure to sanitize quotes which can lead to sql injection

Overview All versions of squel are vulnerable to sql injection. The squel package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed. Proof of concept demonstrating the injection of a single quote...

7.1AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/09/21 8:40 p.m.•64 views

Regular Expression Denial of Service

Overview Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings. Recommendation Update to version 2.19.3 or later. References - Issue 4163 - PR 4326 - GitHub Advisory...

6.7AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/08/08 10:52 p.m.•64 views

Hijacked Environment Variables

Overview The opencv.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

6.3CVSS6.7AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/06/26 5:35 p.m.•64 views

Directory Traversal

Overview Affected versions of tinyserver2 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

5CVSS3.4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/06/21 5:16 p.m.•63 views

Prototype Pollution

Overview Prototype pollution vulnerability in ‘set-getter’ version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 0.1.1 or later References - CVE - GitHub Advisory...

7.5CVSS7.2AI score0.03299EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/05/07 4:7 p.m.•63 views

Buffer overflow in canvas

Overview A buffer overflow is present in canvas versions before 1.6.11, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image. Recommendation Upgrade to version 1.6.11 or later References - CVE - GitHub Advisory...

6.8CVSS6.4AI score0.02323EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/24 3:9 a.m.•63 views

Command Injection

Overview Affected versions of the samba-client package allow command injection because of the use of process.exec. Recommendation Upgrade to version 4.0.0 or later References - CVE - GitHub Advisory...

7.5CVSS5.6AI score0.04831EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2020/04/14 9:44 p.m.•63 views

DLL Injection

Overview Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to...

7.7AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2018/04/20 9:28 p.m.•63 views

Authentication bypass via incorrect XML canonicalization and DOM traversal

Overview Versions of saml2-js prior to 1.12.4 or 2.0.2 are vulnerable to authentication bypass. The saml2-js library may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the...

7.2AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2018/01/15 4:50 a.m.•63 views

Directory Traversal

Overview The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/07/07 10:12 p.m.•63 views

Directory Traversal

Overview Affected versions of sly07 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/05/26 9:45 p.m.•63 views

Directory Traversal

Overview Affected versions of serveryaozeyan resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

5CVSS4.3AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/05/16 11:0 p.m.•63 views

Directory Traversal

Overview Affected versions of list-n-stream resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

5CVSS3.2AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/05/06 4:15 p.m.•62 views

Regular Expression Denial of Service

Overview hosted-git-info before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity Recommendation Upgrade to...

5CVSS4.7AI score0.03612EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/03/03 2:16 a.m.•62 views

Remote Code Execution

Overview Impact In affected versions of pug and pug-code-gen, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remot...

6.8CVSS9.2AI score0.04269EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/02/22 5:42 p.m.•62 views

Command Injection

Overview Affected versions of @graphql-tools/git-loader package are vulnerable to Command Injection. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. Recommendation Upgrade to fix version 6.2.6 or later References - Snyk Advisory - CVE -...

7.5CVSS6.3AI score0.02814EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/19 6:37 p.m.•62 views

Command Injection

Overview All versions of package ts-process-promises are affected by a command injection vulnerability. The injection point is located in line 45 in main entry of package in lib/process-promises.js. Recommendation Since there is currently no fix version, discontinue use of the ts-process-promises...

7.5CVSS4AI score0.01355EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2020/12/30 7:29 p.m.•62 views

Password stored in plain text

Overview parse-server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication ...

4CVSS3.6AI score0.00796EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/12/13 9:56 p.m.•62 views

Denial of Service

Overview ecstatic, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes %00 is provided by an attacker it can crash ecstatic by running it out of memory. Results from the original advisory A payload of 22kB caused a lag of 1...

7.8CVSS1.1AI score0.02557EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/09/25 7:16 p.m.•62 views

Regular Expression Denial of Service

Overview Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. Recommendation There is currently no direct patch for this vulnerability. Currently, the best solution ...

5CVSS2.7AI score0.01659EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/09/08 6:7 p.m.•62 views

Regular Expression Denial of Service

Overview Affected versions of tough-cookie are susceptible to a regular expression denial of service. The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length. If node was compiled usi...

5CVSS3.7AI score0.03283EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/03/15 6:46 p.m.•62 views

XSS via Angular Expression

Overview Affected versions of ag-grid are vulnerable to Cross-site Scripting XSS via Angular Expressions, if used in combination with AngularJS. Recommendation Avoid using ag-grid in combination with AngularJS until a fix is available. References - Issue 1287 -...

4.3CVSS2.8AI score0.01185EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/03/13 7:16 p.m.•62 views

Invalid Curve Attack

Overview Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static ECDH-ES is used. Proof of Concept Recommendation Update to version 0.9.3 or...

4.3CVSS4.4AI score0.00928EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2016/01/25 5:56 p.m.•62 views

Denial of Service and Content Injection

Overview Versions of i18n-node-angular prior to 1.4.0 are affected by denial of service and cross-site scripting vulnerabilities. The vulnerabilities exist in a REST endpoint that was created for development purposes, but was not disabled in production in affected versions. Recommendation Update ...

4.9CVSS3.9AI score0.00801EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/10 6:48 p.m.•61 views

Regular expression denial of Service

Overview codemirror before 5.58.2 is vulnerable to a regular expression denial of service. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex...

5CVSS3.1AI score0.05197EPSS
Exploits1Affected Software1
Total number of security vulnerabilities1635