Lucene search
+L
NodejsMost viewed

1635 matches found

Node.js
Node.js
•added 2020/11/30 6:22 p.m.•47 views

Malicious Package

Overview The package db-json.js contained malicious code. The package had jdb.js as a dependency and would execute the same malware as described in https://www.npmjs.com/advisories/1584. Recommendation Any computer that has this package installed or running should be considered fully compromised...

7AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2020/10/15 6:36 p.m.•47 views

Malicious Package

Overview All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually. Recommendation Remove the package from your environment and...

6.6AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2019/09/16 3:14 p.m.•47 views

Prototype Pollution

Overview Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads. Recommendation Upgrade...

7.5CVSS9.8AI score0.07066EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2019/06/17 2:14 p.m.•47 views

Cross-Site Scripting

Overview Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.2.0 or later. References - CVE -...

4.3CVSS6AI score0.02224EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/08/08 11:34 p.m.•47 views

Hijacked Environment Variables

Overview The nodecaffe package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

5CVSS4.6AI score0.01177EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/03/31 8:53 p.m.•47 views

Denial of Service via malformed accept-encoding header

Overview Affected versions of hapi will crash or lock the event loop when a malformed accept-encoding header is recieved. Recommendation Update to version 16.1.1 or later. References - Issue 3466 - GitHub Advisory...

5CVSS4.2AI score0.01584EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/02 1:27 a.m.•47 views

Downloads Resources over HTTP

Overview Affected versions of soci insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

9.3CVSS5.4AI score0.01682EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/01 12:23 a.m.•47 views

Downloads Resources over HTTP

Overview Affected versions of cue-sdk-node insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution...

9.3CVSS6.2AI score0.01752EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/11/30 9:25 p.m.•47 views

Downloads Resources over HTTP

Overview Affected versions of aerospike insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

9.3CVSS5.2AI score0.01752EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/05/05 8:30 p.m.•47 views

Cross-Site Scripting

Overview Affected versions of dojo are susceptible to a cross-site scripting vulnerability in the dijit.Editor and textarea components, which execute their contents as Javascript, even when sanitized. Recommendation Update to version 1.1 or later. References - Dojo Toolkit Bug Tracker - Bug 2140 ...

4.3CVSS3.6AI score0.01082EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•47 views

Potential Command Injection

Overview Versions 1.0.3 and earlier of libnotify are affected by a shell command injection vulnerability. This may result in execution of arbitrary shell commands, if user input is passed into libnotify.notify. Untrusted input passed in the call to libnotify.notify could result in execution of...

7.5CVSS5.5AI score0.02685EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•47 views

Unauthenticated Remote Command Injection

Overview epimageconvert is a plugin for Etherpad Lite. epimageconvert = 0.0.2 is vulnerable to remote command injection. Authentication is not required for remote exploitation. Recommendation Update to version 0.0.3 or greater. References - PR 5 - GitHub Advisory...

7.5CVSS4.9AI score0.04627EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2021/02/26 4:26 p.m.•46 views

Prototype Pollution

Overview Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. Workarounds A workaround is to...

4CVSS3.3AI score0.01397EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2020/12/08 9:50 p.m.•46 views

Regular Expression Denial of Service

Overview fast-csv and @fast-csv/parse before version 4.3.6 has a possible ReDoS vulnerability Regular Expression Denial of Service when using ignoreEmpty option when parsing. Impact You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is...

3.5CVSS3.1AI score0.01518EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2019/10/30 3:57 p.m.•46 views

Denial of Service

Overview Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Recommendation Upgrade to version...

6.9AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/09/21 8:44 p.m.•46 views

Regular Expression Denial of Service

Overview Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates. The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds. Recommendation No direct patch is...

5CVSS4.5AI score0.01503EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/08/09 12:0 a.m.•46 views

Hijacked Environment Variables

Overview The cross-env.js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

5CVSS4.7AI score0.01286EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/07/18 8:8 p.m.•46 views

Directory Traversal

Overview intsol-package is a file server. intsol-package is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Example Request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:localhost and the server's Response HTTP/1.1...

5CVSS5AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/07 4:49 p.m.•46 views

Directory Traversal

Overview Affected versions of qinserve resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.5AI score0.03191EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/07 1:2 a.m.•46 views

Directory Traversal

Overview Affected versions of ritp resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS3.9AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/06 6:27 p.m.•46 views

Directory Traversal

Overview Affected versions of zjjserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/05 9:29 p.m.•46 views

Directory Traversal

Overview Affected versions of peiserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2016/12/12 4:24 p.m.•46 views

Directory Traversal

Overview Affected versions of hostr are vulnerable to directory traversal which allows attackers to read files outside the current directory by sending ../ in the url path for GET requests. Recommendation Upgrade to version 2.3.6 or later. References - Issue 8 - GitHub Advisory...

5CVSS4.8AI score0.01825EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/02 5:4 a.m.•46 views

Downloads Resources over HTTP

Overview Affected versions of mystem-fix insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

9.3CVSS6.2AI score0.01752EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/01 4:2 p.m.•46 views

Downloads Resources over HTTP

Overview Affected versions of bkjs-wand insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

9.3CVSS5.6AI score0.01682EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/01 12:9 a.m.•46 views

Downloads Resources over HTTP

Overview Affected versions of sauce-connect insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...

9.3CVSS5.7AI score0.01682EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/11/30 11:56 p.m.•46 views

Downloads Resources over HTTP

Overview Affected versions of ipip insecurely downloads resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...

6.8CVSS2.4AI score0.00578EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/11/30 10:29 p.m.•46 views

Downloads Resources over HTTP

Overview Affected versions of haxe insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

9.3CVSS5.1AI score0.01682EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/11/30 8:58 p.m.•46 views

Downloads Resources over HTTP

Overview Affected versions of ibmdb insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the...

6.8CVSS5.1AI score0.01546EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/11/30 8:53 p.m.•46 views

Downloads Resources over HTTP

Overview Affected versions of appium-chromedriver insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read items send over HTTP at will. In this case, that includes the chromedriver binary, which may result in remote code...

6.8CVSS4.8AI score0.01114EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/10/05 8:26 p.m.•46 views

Broken CORS

Overview Affected versions of sails have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This may allow an attacker to make AJAX requests to vulnerable hosts through cross-site scripting or a malicious...

2.1CVSS3.9AI score0.00646EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/11/03 7:12 a.m.•46 views

Root Path Disclosure

Overview Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem. Recommendation Update to version 0.11.1 or later. References - PR 70 - Express Changelog - 2015/01/20 - GitHub Advisory...

5CVSS5.1AI score0.04697EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•46 views

CSRF Vulnerability

Overview Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribut...

5CVSS1.7AI score0.04397EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2021/03/03 2:9 a.m.•45 views

Remote Code Execution

Overview Impact In affected versions of pug and pug-code-gen, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remot...

6.8CVSS9.2AI score0.04269EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2020/12/16 7:42 p.m.•45 views

Command Injection

Overview There is a command injection vulnerability in systeminformation which allows for injection of commands to the command line of your machine. Affected commands: inetLatency. The problem was fixed by sanitizing the shell string. Recommendation Upgrade to version 4.31.1 or later. References ...

7.5CVSS4.5AI score0.02712EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2020/01/23 6:13 p.m.•45 views

Insufficient Entropy

Overview Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits method does not provide sufficient entropy and its generates digits that are not evenly distributed. Recommendation Upgrade to version 4.1.2. The package is deprecated and has been moved to...

5CVSS4.8AI score0.01681EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2019/05/06 6:10 p.m.•45 views

Insecure Credential Storage

Overview All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a...

6.2AI score
Exploits0Affected Software1
Node.js
Node.js
•added 2017/08/08 11:35 p.m.•45 views

Hijacked Environment Variables

Overview The nodemailer-js package is a piece of malware that steals environment variables and sends them to attacker controlled locations. All versions have been unpublished from the npm registry. Recommendation As this package is malware, if you find it installed in your environment, the real...

5CVSS4.7AI score0.01123EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2017/07/07 8:38 p.m.•45 views

Directory Traversal

Overview Affected versions of picard resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.3AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/07 12:0 a.m.•45 views

Directory Traversal

Overview Affected versions of uv-tj-demo resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/05 9:45 p.m.•45 views

Directory Traversal

Overview Affected versions of lessindex resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.2AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/05 9:37 p.m.•45 views

Directory Traversal

Overview Affected versions of mfrserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.4AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2017/07/05 8:4 p.m.•45 views

Directory Traversal

Overview Affected versions of wind-mvc resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

5CVSS4.6AI score0.02005EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2016/12/02 4:51 a.m.•45 views

Downloads Resources over HTTP

Overview Affected versions of roslib-socketio insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

9.3CVSS6.2AI score0.01752EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/02 4:45 a.m.•45 views

Downloads Resources over HTTP

Overview Affected versions of healthcenter insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution...

9.3CVSS3.6AI score0.01752EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/02 4:42 a.m.•45 views

Downloads Resources over HTTP

Overview Affected versions of arcanist insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

9.3CVSS5.5AI score0.01682EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/02 4:40 a.m.•45 views

Downloads Resources over HTTP

Overview Affected versions of windows-selenium-chromedriver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting ...

9.3CVSS6.2AI score0.01752EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/01 7:33 p.m.•45 views

Downloads Resources over HTTP

Overview Affected versions of xd-testing insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

9.3CVSS6.2AI score0.01752EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2016/12/01 7:7 p.m.•45 views

Downloads Resources over HTTP

Overview Affected versions of jstestdriver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution...

9.3CVSS4.7AI score0.01682EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•45 views

Denial-of-Service Memory Exhaustion

Overview Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing. Recommendation Update to version 1.0...

5CVSS3.1AI score0.08309EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1635