Directory Traversal

Overview Affected versions of easyquick resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

XSS in Data URI

Overview Affected versions of remarkable are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of data: URIs in links, and can therefore execute javascript. Proof of Concept link Recommendation Update to v1.7.0 or later References - Issue 227 - GitHub Advisory...

Regular Expression Denial of Service

Overview Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration. Proof of concept var moment = require'moment'; var genstr = function len, chr var result = "";...

Prototype Pollution

Overview mathjs before version 7.5.1 is vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates. Recommendation Upgrade to version 7.5.1 or later References - CVE - GitHub Advisory...

Arbitrary Code Execution

Overview Impact Arbitrary code execution can occur when running exiftool against files with hostile metadata payloads. Patches ExifTool has already been patched in version 12.24. exiftool-vendored, which vendors ExifTool, includes this patch in v14.3.0. Workarounds No. Recommendation Upgrade to...

Regular Expression Denial of Service

Overview In redis before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. Patches The problem was fixed in commit 2d11b6d and was released in...

Prototype Pollution

Overview Prototype pollution vulnerability in set-in versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 2.0.1 or later. References - GitHub Advisory - CVE...

Path Traversal

Overview In Node-RED-Dashboard before 2.26.2 there is a path traversal vulnerability. In /nodes/uibase.js, the URL is matched with '/uibase/js/' and then passed to path.join. The lack of verification of the final path leads to a path traversal vulnerability. Recommendation Upgrade to fix version...

Malicious Package

Overview The package ac-addon contained malicious code. The package ran a postinstall script that executed two .exe files. Both files were identified to contain Trojan malware. Recommendation Remove the package from your system and rotate any credentials that may have been compromised. References...

Downloads Resources over HTTP

Overview Affected versions of npm-test-sqlite3-trunk insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of adamvr-geoip-lite insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. This could impact the integrity and availability of the data being used to make geolocation...

Downloads Resources over HTTP

Overview Affected versions of kindlegen insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Regular Expression Denial of Service

Overview Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value. Recommendation Update to version 0.6.1 or later. References GitHub Advisory...

SQL Injection

Overview Versions of mysql prior to 2.0.0-alpha8 are affected by a SQL Injection vulnerability in the mysql.escape function, which does not properly escape object keys. Recommendation Update to version 2.0.0-alpha8 or later. References - Issue 324 - GitHub Advisory...

Hostname spoofing via backslashes in URL

Overview URI.js is a javascript URL mutation library npm package urijs. In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash \ character followed by an at @ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library...

Cross-Site Scripting

Overview Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.2.0 or later. References - CVE -...

Directory Traversal

Overview Affected versions of serve do not properly handle %2e . and %2f / characters, and allow the, characters to be used in paths. This can be used to traverse the directory tree and list content of any directory the user running the process has access to. Mitigating factors: This vulnerabilit...

Hijacked Environment Variables

Overview The nodecaffe package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Unsafe eval()

Overview Affected versions of summit allow attackers to execute arbitrary commands via collection names when using the PouchDB driver. Recommendation No direct patch is available at this time. Currently, the best option to mitigate the issue is to avoid using the PouchDB driver, as the package...

Downloads Resources over HTTP

Overview Affected versions of windows-seleniumjar insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Regular Expression Denial of Service

Overview Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Recommendation Update to version 4.3.2 or later References - Regular Expression Denial of Service - OWASP - GitHub Advisory...

Arbitrary Command Injection due to Improper Command Sanitization

Overview Summary There exists a command injection vulnerability in @npmcli/git versions 2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when npmcli/git is used to execute Git commands based on user controlled input. The impact of this issue is...

Arbitrary JavaScript Execution

Overview There is a security vulnerability in json-ptr versions prior to v2.1.0 in which an unscrupulous actor may execute arbitrary code. If your code sends un-sanitized user input to json-ptr's .get method, your project is vulnerable to this injection-style vulnerability. Recommendation Upgrade...

Regular Expression Denial of Service

Overview ua-parser-js = 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. Recommendation Upgrade to version 0.7.24 or later...

Malicious Package

Overview From https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hspreview=BbDPGbfh-40737456755: The malicious packages were detected by Sonatype’s Security Research Team leveraging Sonatype’s Nexus Intelligence research service. On analyzing these packages closely, our Security...

Malicious Package

Overview The package db-json.js contained malicious code. The package had jdb.js as a dependency and would execute the same malware as described in https://www.npmjs.com/advisories/1584. Recommendation Any computer that has this package installed or running should be considered fully compromised...

Denial of Service

Overview Affected versions of nes are vulnerable to denial of service when given an invalid cookie header, and websocket authentication is set to cookie. Submitting an invalid cookie on the websocket upgrade request will cause the node process to throw and exit. Recommendation Update to version...

Insufficient Error Handling

Overview Affected versions of http-proxy are vulnerable to a denial of service attack, wherein an attacker can force an error which will cause the server to crash. Recommendation Update to version 0.7.0 or later. References - PR 101 - GitHub Advisory...

Downloads Resources over HTTP

Overview Affected versions of mongodb-instance insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of air-sdk insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on t...

Downloads Resources over HTTP

Overview Affected versions of dalek-browser-chrome insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP

Overview Affected versions of product-monitor insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Command Injection

Overview Affected versions of dns-sync are vulnerable to arbitrary command execution via maliciously formed hostnames. Proof of Concept var dnsSync = require'dns-sync'; console.logdnsSync.resolve'$id /tmp/foo'; Recommendation Update to version 0.1.1 or later. References - Issue 1 - Commit d9abaae...

LDAP Injection

Overview Versions 2.2.4 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation ldapauth is not actively maintained, having not seen a publish since 2014. As a result...

Prototype Pollution

Overview Versions of swiper before 6.5.1 are susceptible to prototype pollution. Recommendation Upgrade to version 6.5.1 or later References - CVE - GitHub Advisory...

Cross-Site Scripting

Overview Impact In highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options...

Server-Side Request Forgery

Overview rendertron prior to version 3.0.0 is susceptible to a Server-Side Request Forgery SSRF attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Recommendation Upgrade t...

Prototype Pollution

Overview In Dynamoose versions 2.0.0-2.6.0 there was a prototype pollution vulnerability in the internal utility method lib/utils/object/set.ts. This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being...

Malicious Package

Overview All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually. Recommendation Remove the package from your environment and...

Denial of Service

Overview Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Recommendation Upgrade to version...

Prototype Pollution

Overview Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads. Recommendation Upgrade...

Insecure Credential Storage

Overview All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a...

Hijacked Environment Variables

Overview The nodemailer.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

Directory Traversal

Overview Affected versions of zjjserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of peiserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Directory Traversal

Overview Affected versions of wind-mvc resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Denial of Service via malformed accept-encoding header

Overview Affected versions of hapi will crash or lock the event loop when a malformed accept-encoding header is recieved. Recommendation Update to version 16.1.1 or later. References - Issue 3466 - GitHub Advisory...

Downloads Resources over HTTP

Overview Affected versions of haxe3 insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Downloads Resources over HTTP

Overview Affected versions of fuseki insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on th...

Downloads Resources over HTTP

Overview Affected versions of sauce-connect insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...