Prototype Pollution

Overview Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects...

Malicious Package

Overview All versions of smartsearchwp contain malicious code. The package is malware intended to steal credentials from websites it is loaded in. It traverses DOM elements looking for fields such as username and password and uploads it to a remote server. The package also port-scans the local...

Path Traversal

Overview Versions of serve prior to 7.0.1 are vulnerable to Path Traversal. Explicitly ignored folders can be accessed through if the path contains a /./, which allows attackers to access hidden folders and files. Recommendation Upgrade to version 7.0.1 or later. References - HackerOne Report -...

Cross-Site Scripting

Overview All versions of buttle are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available. Conside...

Path Traversal

Overview All versions of file-static-server are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative module until a f...

Sensitive Data Exposure

Overview All versions of put are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects...

Path Traversal

Overview All versions of localhost-now are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package until a fix...

Command Injection

Overview Versions of pullit prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. Recommendation Upgrade to version 1.4.0 or later. References -...

Path Traversal

Overview Versions of crud-file-server prior to 0.9.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation Upgrade to version 0.9.0 or later. References - HackerOne Report -...

Path Traversal

Overview Versions of ponse prior to 2.0.2 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation Upgrade to version 2.0.2 or later. References - HackerOne Report - GitHub...

Cross-Site Scripting

Overview All versions of html-pages are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize folder names, allowing attackers to execute arbitrary JavaScript in the victim's browser through folders with names containing malicious code. Recommendation No fix is currently available...

Cross-Site Scripting

Overview Versions of public prior to 0.1.4 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation Upgrade to version 0.1.4 or...

Path Traversal

Overview Versions of bruteser prior to 0.1.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation Upgrade to version 0.1.0 or later. References - HackerOne Report - GitHub...

Command Injection

Overview Versions of entitlements prior to 1.3.0 are vulnerable to Command Injection. The package does not validate input on the entitlements function and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. Recommendation Upgrade to version 1.3.0 or later...

Prototype Pollution

Overview Versions of extend prior to 3.0.2 for 3.x and 2.0.2 for 2.x are vulnerable to Prototype Pollution. The extend function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation If you're...

Prototype Pollution

Overview All versions of mergify are vulnerable to Prototype Pollution. The mergify function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using...

Arbitrary File Write

Overview Versions of adm-zip before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames ../../file.txt for example. Recommendation Update to version 0.4.9 or later. References - GitHub Pull Request - Zip Slip...

Cross-Site Scripting

Overview Versions of node-red prior to 0.18.6 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize the name field in new items, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 0.18.6 or later. References - HackerOn...

Cross-Site Scripting

Overview Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation Upgrade to version 10.0.2 o...

Remote Code Execution

Overview Versions of markdown-pdf prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file...

Path Traversal

Overview All versions of buttle are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

SQL Injection

Overview All versions of untitled-model re vulnerable to SQL Injection. Query parameters are not properly sanitized allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation No fix is currently available. Consider using an alternative package until a fix is mad...

Cross-Site Scripting

Overview Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package allows HTML code in the swagger.apiInfo.description value without proper sanitization, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 2.2.1 or later...

Cross-Site Scripting

Overview Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package fails to encode output in GET requests. The request is meant to respond with Content-Type application/json which does not trigger the vulnerability but if the web server changes the header to...

Cross-Site Scripting

Overview Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize JSON schemas, allowing attackers to execute arbitrary JavaScript using tags in the method descriptions. Recommendation Upgrade to version 2.2.1 or later. References - GitHub...

Cross-Site Scripting

Overview Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 3.0.13 or later. References - GitHu...

Cross-Site Scripting

Overview Versions of diagram-js-direct-editing prior to 1.4.3 are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.3 or later. References -...

Cross-Site Scripting

Overview Versions of diagram-js prior to 3.3.1 for 3.x and 2.6.2 for 2.x are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript. Recommendation If you are using diagram-js 3.x, upgrade t...

Cross-Site Scripting

Overview Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having...

Cross-Site Scripting

Overview Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin...

Cross-Site Request Forgery (CSRF)

Overview Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Request Forgery CSRF. The package fails to validate the presence of the X-CSRF-Token header, which may allow attackers to carry actions on behalf of other users on all endpoints. Recommendation Update to version 4.0.0 or...

Forced Logout

Overview Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /klogout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely. Recommendation Upgrade to...

Command Injection

Overview All versions of wizard-syncronizer are vulnerable to Command Injection. The package does not validate input on the cloneAndSync function and concatenates it to an exec call. This can be abused through a malicious widget containing the payload in the gitURL value or through a MITM attack...

Cross-Site Scripting

Overview Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 3.20.9 or later. References - GitHub PR - Snyk...

Reverse Tabnapping

Overview Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks. Recommendation Upgrade to version 3.18.0 or later...

User Impersonation

Overview Versions of converse.js prior to 1.0.7 for 1.x or 2.0.5 for 2.x are vulnerable to User Impersonation. The package provides an incorrect implementation of XEP-0280: Message Carbons that allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's...

Cross-Site Scripting

Overview Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.2.0 or later. References - CVE -...

Cross-Site Scripting

Overview Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting XSS. The package does not sanitize URL parameters in the testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to versio...

Cross-Site Scripting

Overview Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting XSS. The package does not encode output, allowing attackers to execute arbitrary JavaScript in the victim's browser if user-supplied input is rendered. Recommendation Upgrade to version 10.0.2 or later. References -...

Denial of Service

Overview Versions of memjs prior to 1.2.2 are vulnerable to Denial of Service DoS. The package fails to sanitize the value option passed to the Buffer constructor, which may allow attackers to pass large values exhausting system resources. Recommendation Upgrade to version 1.2.2 or later...

Authentication Bypass

Overview Versions of samlify prior to 2.4.0 are vulnerable to Authentication Bypass. The package fails to prevent XML Signature Wrapping, allowing tokens to be reused with different usernames. A remote attacker can modify SAML content for a SAML service provider without invalidating the...

Path Traversal

Overview Versions of simplehttpserver prior to 0.2.1 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to version 0.2.1 or later. References - HackerOne Report...

Path Traversal

Overview All versions of static-resource-server are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

Command Injection

Overview Versions of kill-port prior to 1.3.2 are vulnerable to Command Injection. The package does not validate user input on the kill function. This may allow attackers to run arbitrary commands in the system if user input such as the port number is passed directly to the function. Recommendati...

Path Traversal

Overview Versions of serve prior to 10.1.2 are vulnerable to Path Traversal. Explicitly ignored folders can be accessed through relative paths, which allows attackers to access hidden folders and files. Recommendation Upgrade to version 10.1.2 or later. References - HackerOne Report - GitHub...

Information Exposure

Overview Versions of cordova-android prior to 6.0.0 are vulnerable to Information Exposure through log files. The application calls methods of the Log class. Messages passed to these methods Log.v, Log.d, Log.i, Log.w, and Log.e are stored in a series of circular buffers on the device. By default...

SQL Injection

Overview All versions of resquel are vulnerable to SQL Injection. Query parameters are not properly sanitized, allowing attackers to inject SQL statements and execute arbitrary SQL queries Recommendation No fix is currently available. Consider using an alternative package until a fix is made...

Incorrect Calculation

Overview Versions of bigint-money prior to 0.6.2 are vulnerable to an Incorrect Calculation. The package incorrectly rounded certain numbers, which could have drastic consequences due to its usage in financial systems. Recommendation Upgrade to version 0.6.2 or later. References GitHub Advisory...

Denial of Service

Overview Affected versions of node-sass are vulnerable to Denial of Service DoS. Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::getimporterentry and CustomImporterBridge::postprocessreturnvalue that crash the Node process. This may allow...

Command Injection

Overview All versions of wxchangba are vulnerable to Command Injection. The package does not validate user input on the reqPostMaterial function, passing contents of the file parameter to an exec call. This may allow attackers to run arbitrary commands in the system. Recommendation No fix is...