Lucene search
+L
NodejsMost viewed

1635 matches found

Node.js
Node.js
•added 2021/03/29 9:35 p.m.•61 views

netmask npm package vulnerable to octal input data

Overview netmask npm package is vulnerable to octal input data. This may lead to server-side request forgery, remote file inclusion, local file inclusion, and other vulnerabilities. Recommendation Upgrade to version 2.0.1 or later. References - GitHub Advisory - Researcher report...

6.4CVSS3.8AI score0.16657EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/02/25 1:37 a.m.•61 views

Regular Expression Denial of Service

Overview A Regular Expression Denial of Service vulnerability was discovered in esm. The issue is that esm's find-indexes is using the unescaped identifiers in a regex, which, in this case, causes an infinite loop. Recommendation Upgrade to version 3.1.0 or later References - WhiteSource Advisory...

6.7AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2021/01/25 1:43 p.m.•62 views

Malicious Package

Overview From https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hspreview=BbDPGbfh-40737456755: The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2021/09/20 6:55 p.m.•60 views

Code Injection

Overview In pac-resolver before 5.0.0 code-injection can occur when used with untrusted input, due to unsafe PAC file handling. Recommendation Upgrade to version 5.0.0 or later References - CVE - GitHub Advisory - Article...

7.5CVSS3.3AI score0.02863EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/06/07 10:9 p.m.•60 views

Prototype Pollution

Overview merge-deep before 3.0.3 can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library. Recommendation...

7.5CVSS4.5AI score0.01901EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/06 4:14 p.m.•60 views

RSA signature validation vulnerability

Overview Impact Vulnerable versions of jsrsasign will accept RSA signature with improper PKCS1.5 padding. Decoded RSA signature value consists following form: 01ff...8 or more ffs...ff00ASN.1 OF DigestInfo Its byte length shall be the same as RSA key length however such checking was not sufficien...

6.4CVSS3.1AI score0.0096EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/03/03 2:27 a.m.•60 views

Sandbox Breakout

Overview In matrix-react-sdk before version 3.15.0 the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so messages and secrets are not at risk. Recommendation Upgrade to version 3.15...

4.3CVSS4.5AI score0.00922EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/22 9:59 p.m.•60 views

IPC messages delivered to the wrong frame

Overview IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: - Uses...

6.4CVSS2.9AI score0.01725EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2020/11/25 7:13 p.m.•60 views

Improper Key Verification

Overview An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation. Recommendation Version 2.0.0 has the fix. The recommendation is to upgrade. In case that is not possible remove the...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/07/17 9:31 p.m.•60 views

Directory Traversal

Overview Affected versions of serverxxx resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/17 9:20 p.m.•60 views

Directory Traversal

Overview Affected versions of scott-blanch-weather-app resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2016/12/02 1:26 a.m.•60 views

Downloads Resources over HTTP

Overview Affected versions of fis-parser-sass-bin insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

9.3CVSS6.2AI score0.01682EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/08/10 4:10 p.m.•59 views

Open Redirect

Overview Overview Affected versions of npm url-parse are vulnerable to URL Redirection to Untrusted Site. Impact Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. Recommendation Upgrade to...

5CVSS4.8AI score0.01834EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/03/01 8:54 p.m.•59 views

Regular Expression Denial of Service

Overview Impact @progfay/scrapbox-parser before 6.0.3 and 7.0.2 are vulnerable to Regular Expression Denial of Service ReDoS in DecorationNode, StrongNode and ExternalLinkNode. An attacker may be able to craft text which causes the application to consume an excessive amount of CPU. Recommendation...

5CVSS7.4AI score0.01759EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2020/10/08 9:39 p.m.•59 views

Command Injection

Overview Insufficient input validation in npm package jison = 0.4.18 may lead to OS command injection attacks. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available. References - https://github.com/advisories/GHSA-vr9x-mm65-2438...

10CVSS2.3AI score0.03633EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/06/29 8:34 p.m.•59 views

Directory Traversal

Overview Affected versions of yyooopack resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.5AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/06/27 5:46 p.m.•59 views

Directory Traversal

Overview Affected versions of gaoxiaotingtingting resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerab...

5CVSS4.4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/05/30 10:31 p.m.•59 views

Directory Traversal

Overview Affected versions of serverliujiayi1 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/05/16 10:45 p.m.•59 views

Directory Traversal

Overview Affected versions of iter-http resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/03/09 10:37 p.m.•59 views

Insecure randomness

Overview Affected versions of socket.io depend on Math.random to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization. Recommendation Update to v0.9...

5CVSS4.2AI score0.02EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/02/09 4:30 p.m.•59 views

Code Execution through IIFE

Overview Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and...

7.5CVSS4.5AI score0.61025EPSS
Exploits5Affected Software1
Node.js
Node.js
•added 2021/03/08 4:8 p.m.•58 views

Use of a Broken or Risky Cryptographic Algorithm

Overview elliptic before version 6.5.4 is vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the...

4.3CVSS6.6AI score0.01245EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/19 5:22 p.m.•58 views

Cross-site scripting in TinyMCE

Overview A cross-site scripting XSS vulnerability was discovered in the URL sanitization logic of the core parser of tinymce. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all...

5.9AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/09/27 6:9 p.m.•58 views

Regular Expression Denial of Service

Overview Affected versions of method-override are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the X-HTTP-Method-Override header. Recommendation Update to version 2.3.10 or later References GitHub Advisory...

5CVSS4.9AI score0.01215EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/07/07 9:40 p.m.•58 views

Directory Traversal

Overview Affected versions of cypserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/06/29 8:28 p.m.•58 views

Directory Traversal

Overview Affected versions of byucslabsix resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

5CVSS4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/06/29 6:19 p.m.•58 views

Directory Traversal

Overview Affected versions of 22lixian resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/06/28 6:11 p.m.•58 views

Directory Traversal

Overview Affected versions of hftp resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.1AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/06/27 6:35 p.m.•58 views

Directory Traversal

Overview Affected versions of weather.swlyons resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/02/09 8:11 p.m.•58 views

ReDoS via long UserAgent header

Overview Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed. Proof of Concept var useragent = require'useragent'; var badUserAgent = 'MSIE 0.0'+Array900000.join'0'+'XBLWP'; var request = 'GET /...

5CVSS3.8AI score0.01162EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2016/11/30 8:49 p.m.•58 views

Downloads Resources over HTTP

Overview Affected versions of unicode insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...

6.8CVSS5AI score0.00578EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/10 6:48 p.m.•57 views

Regular Expression Denial of Service

Overview All versions of package dat.gui are vulnerable to Regular Expression Denial of Service ReDoS via specifically crafted rgb and rgba values. Recommendation Avoid using dat.gui as there is no current safe version of this module References - CVE - GitHub Advisory...

5CVSS5.2AI score0.02073EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/02/22 6:30 p.m.•57 views

OS Command Injection

Overview Affected versions of the async-git package allow OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. Recommendation Upgrade to version 1.13.2 or later. References - CVE - GitHub Advisory...

7.5CVSS6.1AI score0.05323EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2020/07/07 7:3 p.m.•57 views

Sensitive Data Exposure

Overview Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files. Recommendation Upgrade to version 6.14....

1.9CVSS1.9AI score0.00417EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/09/25 7:20 p.m.•57 views

Regular Expression Denial of Service

Overview Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input. The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds, About 50k characters can block the event loop for 2 seconds...

5CVSS4.8AI score0.01584EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/05/17 11:32 p.m.•57 views

Directory Traversal

Overview Affected versions of fsk-server resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2016/11/30 10:42 p.m.•57 views

Downloads Resources over HTTP

Overview Affected versions of dalek-browser-chrome-canary insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in...

9.3CVSS6.2AI score0.02061EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/10 6:48 p.m.•56 views

Authorization Bypass

Overview admin/src/containers/InputModalStepperProvider/index.js in strapi before 3.2.5 has unwanted /proxy?url= functionality. Recommendation Upgrade to version 3.2.5 or later References - CVE - GitHub Advisory...

7.5CVSS4.6AI score0.02292EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/10 6:40 p.m.•56 views

Prototype Pollution

Overview mathjs before version 7.5.1 is vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates. Recommendation Upgrade to version 7.5.1 or later References - CVE - GitHub Advisory...

7.5CVSS4.6AI score0.03924EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/05/06 3:47 p.m.•56 views

Cross-Site Scripting

Overview Impact In highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options...

3.5CVSS6.3AI score0.00867EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/25 4:39 p.m.•56 views

Regular Expression Denial of Service

Overview Affected versions of nwmatcher are vulnerable to Regular Expression Denial of Service ReDoS. This can cause an impact of about 10 seconds matching time for data 2k characters long. Recommendation Upgrade to version 1.4.4 or later References - WhiteSource Advisory - Snyk Advisory - GitHub...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2020/11/09 2:24 p.m.•56 views

Cross-Site Scripting in scratch-svg-renderer

Overview This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the transformMeasurements function. Recommendation Upgrade to version...

6.8CVSS3.2AI score0.06148EPSS
Exploits3Affected Software1
Node.js
Node.js
•added 2017/09/12 7:41 p.m.•56 views

Regular Expression Denial of Service

Overview Affected versions of content are vulnerable to a regular expression denial of service when parsing malicious Content-Type and Content-Disposition headers. Recommendation Update to version 3.0.6 or later. References GitHub Advisory...

5CVSS5.4AI score0.01116EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/07/13 10:3 p.m.•56 views

Directory Traversal

Overview Affected versions of nodeaaaaa resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.2AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/05 9:0 p.m.•56 views

Directory Traversal

Overview Affected versions of tencent-server resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/06/30 5:26 p.m.•56 views

Directory Traversal

Overview Affected versions of wenluhong1 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

6.5AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/05/08 11:47 p.m.•56 views

Directory Traversal

Overview Affected versions of tiny-http resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/02/02 11:3 p.m.•56 views

Tmp files readable by other users

Overview Affected versions of sync-exec use files located in /tmp/ to buffer command results before returning values. As /tmp/ is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via sync-exec under a higher...

4CVSS3AI score0.02557EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/01/05 4:24 p.m.•56 views

Downloads Resources over HTTP

Overview Affected versions of windows-build-tools insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

9.3CVSS6AI score0.0228EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/05/04 4:19 a.m.•55 views

Code Injection

Overview oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid...

5CVSS3AI score0.0219EPSS
Exploits2Affected Software1
Total number of security vulnerabilities1635