1635 matches found
Path Traversal
Overview All versions of @wturyn/swagger-injector are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the configured dist folder using relative paths. Recommendation No fix is currently available. Consider using an alternative...
Path Traversal
Overview All versions of swagger-injector are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the configured dist folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package...
Regular Expression Denial of Service
Overview Versions of csv-parse prior to 4.4.6 are vulnerable to Regular Expression Denial of Service. The isInt function contains a malformed regular expression that processes large specially-crafted input very slowly, leading to a Denial of Service. This is triggered when using the cast option...
Cross-Site Scripting
Overview All versions of httpserver are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available...
Cross-Site Scripting
Overview All versions of mavon-editor are vulnerable to Cross-Site Scripting. The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. Recommendation No fix is currently available. Consider using an alternative package until a fix is...
Denial of Service
Overview All versions of subtext are vulnerable to Denial of Service DoS. The package fails to enforce the maxBytes configuration for payloads with chunked encoding that are written to the file system. This allows attackers to send requests with arbitrary payload sizes, which may exhaust system...
Cross-Site Scripting
Overview All versions of snekserve are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available...
Denial of Service
Overview Versions of @commercial/subtext prior to 5.1.1 are vulnerable to Denial of Service DoS. The package fails to enforce the maxBytes configuration for payloads with chunked encoding that are written to the file system. This allows attackers to send requests with arbitrary payload sizes, whi...
Denial of Service
Overview Versions of @hapi/subtext prior to 6.1.2 are vulnerable to Denial of Service DoS. The package fails to enforce the maxBytes configuration for payloads with chunked encoding that are written to the file system. This allows attackers to send requests with arbitrary payload sizes, which may...
Prototype Pollution
Overview Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads. Recommendation Upgrade...
Regular Expression Denial of Service
Overview All versions of sql-injection are vulnerable to Regular Expression Denial of Service. The package processes a request's body with regular expressions that may take exponentially longer to execute for large inputs. Recommendation No fix is currently available. Consider using an alternativ...
Malicious Package
Overview All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Recommendation Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise. References...
Improper Key Verification
Overview Versions of openpgp prior to 4.2.0 are vulnerable to Improper Key Verification. The OpenPGP standard allows signature packets to have subpackets which may be hashed or unhashed. Unhashed subpackets are not cryptographically protected and cannot be trusted. The openpgp package does not...
Message Signature Bypass
Overview Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input such as...
Invalid Curve Attack
Overview Versions of openpgp prior to 4.3.0 are vulnerable to an Invalid Curve Attack. The package's implementation of ECDH fails to verify the validity of the communication partner's public key. The package calculates the resulting key secret based on an altered curve instead of the specified...
Cross-Site Scripting
Overview Versions of webtorrent prior to 0.107.6 are vulnerable to Cross-Site Scripting. webtorrent servers started with torrent.createServer lists a torrent's title and files in the index page without sanitization. This allows attackers to execute arbitrary JavaScript in the victim's browser...
Cross-Site Scripting
Overview Versions of vant prior to 2.1.8 are vulnerable to Cross-Site Scripting. The text value of the Picker component column is not sanitized, which may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 2.1.8 or later. References - GitHub...
Unintended Require
Overview All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require call. This allows attackers to execute any .js file in the same folder as the server is running. Recommendation No fix is...
Sensitive Data Exposure
Overview Versions of seneca prior to 3.9.0 are vulnerable to Sensitive Data Exposure. When a process using the package crashes all environment variables are printed. This may leak sensitive data such as access keys, especially given scenarios when log-monitoring systems store the error output...
Cross-Site Scripting
Overview Versions of status-board prior to 10.0.1 are vulnerable to Cross-Site Scripting. The createPreviewButton function fails to sanitize the href attribute of a created tag. This may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 10.0....
SQL Injection
Overview Versions of connect-pg-simple are vulnerable to SQL Injection. The PGStore.prototype.quotedTable function allows for the query to be manipulated if the input has double quotes through the schemaName or tableName variables. These variables are passed to the constructor and are unlikely to...
Cross-Site Scripting
Overview All versions of status-board are vulnerable to Cross-Site Scripting. The renderJsDashboard function concatenates the safeDashboard variable to the HTTP response message with insufficient sanitization. If this variable is controlled by user input it may allow attackers to execute arbitrar...
Cross-Site Scripting
Overview All versions of status-board are vulnerable to Cross-Site Scripting. The renderDashboard function concatenates the safeDashboard variable to the printed error message with insufficient sanitization. If this variable is controlled by user input it allows attackers to execute arbitrary...
Cross-Site Scripting
Overview Versions of cyberchef prior to 8.31.3 are vulnerable to Cross-Site Scripting. In Text Encoding Brute Force the table rows are created by concatenating the value variable unsanitized in the HTML code. If this variable is controlled by user input it allows attackers to execute arbitrary...
Regular Expression Denial of Service
Overview Versions of simple-markdown prior to 0.5.2 are vulnerable to Regular Expression Denial of Service ReDoS. The SimpleMarkdown.defaultInlineParse function has significantly degraded performance when parsing inline code blocks. Recommendation Upgrade to version 0.5.2 or later. References -...
SQL Injection
Overview Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example: retu...
Cross-Site Scripting
Overview Versions of selectize-plugin-a11y prior to 1.1.0 are vulnerable to Cross-Site Scripting. The accessibility.liveRegion.speak function does not sanitize the msg variable before rendering it as HTML. If this variable is controlled by user input it allows attackers to execute arbitrary...
Path Traversal
Overview All versions of public are vulnerable to Path Traversal. This vulnerability allows an attacker to access files outside the webroot since it allows symlink navigation in the URL. Recommendation No fix is currently available. Do not use public in production or consider using an alternative...
Path Traversal
Overview All versions of statichttpserver are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package until a...
Denial of Service
Overview Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service DoS. The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input tha...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Command Injection
Overview All versions of marsdb are vulnerable to Command Injection. In the DocumentMatcher class, selectors on $where clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. Recommendation No fix is...