Prototype Pollution

Overview All versions of smart-extend are vulnerable to Prototype Pollution. The deep function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider usi...

SQL Injection

Overview Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 0.1.15 References - HackerOne Report - GitHub Advisory...

Path Traversal

Overview Versions of http-live-simulator prior to 1.0.6 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to version 1.0.6 References - HackerOne Report - GitHub Advisory...

Command Injection

Overview All versions of tomato are vulnerable to Command Injection. The /api/exec endpoint does not validate user input allowing attackers to run arbitrary commands in the system. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

Prototype Pollution

Overview Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects. Recommendation Upgrade to version 3.4.0 or later. References - HackerOne Report -...

Directory Traversal

Overview Versions of serve before 7.1.3 are vulnerable to Directory Traversal. File paths are not sanitized leading to unauthorized access of system files. Recommendation Upgrade to version 7.1.3 or later References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview All versions of editor.md are vulnerable to Cross-Site Scripting. User input is insufficiently sanitized, allowing attackers to inject malicious code in payloads containing base64-encoded content. Recommendation No fix is currently available. Consider using an alternative module until a...

Regular Expression Denial of Service

Overview Versions of highcharts prior to 6.1.0 are vulnerable to Regular Expression Denial of Service ReDoS. Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgra...

Insecure Default Configuration

Overview Versions of tesseract.js prior to 1.0.19 default to using a third-party proxy. Requests may be proxied through crossorigin.me which clearly states is not suitable for production use. This may lead to instability and privacy violations. Recommendation Upgrade to version 1.0.19 or later...

Improper Authorization

Overview Versions of googleapis prior to 39.1.0 are vulnerable to Improper Authorization. Setting credentials to one client may apply to all clients which may cause requests to be sent with the incorrect credentials. Recommendation Upgrade to version 39.1.0. References - GitHub...

Denial of Service

Overview Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later. References GitHub Advisory...

Command Injection

Overview Versions of opencvprior to 6.1.0 are vulnerable to Command Injection. The utils/ script find-opencv.js does not validate user input allowing attackers to execute arbitrary commands. Recommendation Upgrade to version 6.1.0. References GitHub Advisory...

Denial of Service

Overview Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Recommendation Upgrade to version 3.13.0. References GitHub Advisory...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of safer-eval before 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. Recommendation Upgrade to version 1.3.2. References GitHub Advisory...

Regular Expression Denial of Service

Overview Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service ReDoS. Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade t...

Regular Expression Denial of Service

Overview Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service ReDoS. Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrad...

Remote Code Execution

Overview Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution. Recommendation Upgrade to version 1.1.0 or later...

Denial of Service

Overview All versions of url-relative are vulnerable to Denial of Service. If the values to and from are equal, the function hangs and never returns. This may cause a Denial of Service. Recommendation No fix is currently available. Consider using an alternative module until a fix is made availabl...

Prototype Pollution

Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing...

Prototype Pollution

Overview Versions of node.extend before 1.1.7 or 2.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.1.7, 2.0.1 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of just-extend before 4.0.0 are vulnerable to prototype pollution. Provided certain input just-extend can add or modify properties of the Object prototype. These properties will be present on all objects. Recommendation Update to version 4.0.0 or later. References - HackerOne...

Prototype Pollution

Overview Versions of mpath before 0.5.1 are vulnerable to prototype pollution. Provided certain input mpath can add or modify properties of the Object prototype. These properties will be present on all objects. Recommendation Update to version 0.5.1 or later. References - HackerOne Report - GitHu...

Prototype Pollution

Overview All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects. Recommendation As no patch is currently available for this vulnerability it is...

Arbitrary File Overwrite

Overview Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory. Recommendation...

Symlink Arbitrary File Overwrite

Overview Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory. Recommendation Update to version 1.8.8 or later...

Malicious Package

Overview Version 2.0.2 of stream-combine has malicious code design to steal credentials and credit card information. The code searches all form elements for passwords, credit card numbers and CVC codes. It then uploads the information to a remote server using HTML links embedded in the page or fo...

Remote Code Execution

Overview All versions of pivideorecording are vulnerable to Remote Code Execution. Due to insufficient input validation the server executes arbitrary code through the /api/record/start endpoint. After running the server, curl -POST -H "Content-Type: application/json" -d '"filename": " || touch...

Path Traversal

Overview Versions of http-live-simulator prior to 1.0.7 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. For example: curl --path-as-is http://localhost:8080//../../../../etc/passwd. Recommendation Upgrade to...

Improper Authorization

Overview Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. Thi...

Cross-Site Scripting

Overview Versions of bootstrap-vue prior to 2.0.0-rc.12 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization, components may be vulnerable to Cross-Site Scripting through the options variable. This may lead to the execution of malicious JavaScript on the user's browser...

Reflected Cross-Site Scripting

Overview Versions of jquery.terminal prior to 1.21.0 are vulnerable to Reflected Cross-Site Scripting. If the application has either of the options anyLinks or invokeMethods set to true, the application may execute arbitrary JavaScript through crafted malicious payloads due to insufficient...

Server-Side Request Forgery

Overview Versions of terriajs-serverprior to 2.7.4 are vulnerable to Server-Side Request Forgery SSRF. If an attacker has access to a server allowed by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain allowed by the terriajs-server proxy, the attacker can...

NoSQL Injection

Overview Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak. Recommendation Upgrade to version 3.6.0 or later. References -...

Sandbox Breakout / Arbitrary Code Execution

Overview All versions of sandbox are vulnerable to Sandbox Escape leading to Remote Code Execution. Due to insufficient input sanitization it is possible to escape the sandbox using constructors. Proof of concept var Sandbox = require"sandbox" s = new Sandbox code = new Function"return...

Malicious Package

Overview All versions of portionfatty12 are considered malicious. The package is malware designed to steal user's data. When installed it uploads the user's public SSH keys to a remote server. Recommendation This package is not available on the npm Registry anymore. If you happen to find this...

Malicious Package

Overview All versions of rrgod are considered malicious. The package is malware designed to run arbitrary scripts. When installed, the package downloads an arbitrary file and executes its contents as a pre, post and install scripts. Recommendation This package is not available on the npm Registry...

Malicious Package

Overview All versions of commander-js are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads an arbitrary file and executes its contents as a post-install script...

Cryptographically Weak PRNG

Overview Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords. Recommendation Update to version 1.4.1 or later. References - GitHub Pull - GitHub Advisory...

Cross-Site Scripting

Overview All versions of semantic-ui-search are vulnerable to Cross-Site Scripting. Lack of output encoding on the selection dropdowns can lead to user input being executed instead of printed as text. Recommendation No fix is currently available. Consider using an alternative module until a fix i...

Remote Code Execution

Overview All versions of office-converter are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution. Recommendation No fix is currently available. Consider usi...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...

Remote Code Execution

Overview All versions of pomelo-monitor are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution. Recommendation No fix is currently available. Consider using...

Prototype Pollution

Overview Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Recommendation For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.1...

Sensitive Data Exposure

Overview All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. Recommendation No fix is currently available. Consider using an alternative module...

Undefined Behavior

Overview All versions of sailsjs-cacheman have a vulnerability that may lead to Undefined Behavior. The config variable is exposing to the global scope which may overwrite other variables and cause the application to misbehave. Recommendation No fix is currently available. Consider using an...

Cross-Site Scripting

Overview Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A"" is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding. Recommendation Upgrade to version 8.2.3 or later References ...

Cross-Site Scripting

Overview Versions of jingo prior to 1.9.2 are vulnerable to Cross-Site Scripting XSS. If malicious input such as alert1 is placed in the content of a wiki page, Jingo does not properly encode the input and it is executed instead of rendered as text. Recommendation Upgrade to version 1.9.2...

Denial of Service

Overview All versions of markdown-it-toc-and-anchor are vulnerable to Denial of Service. Parsing markdown containing text+\n@toc causes the application to enter and infinite loop. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

Cross-Site Scripting

Overview All versions of md-data-table are vulnerable to cross-site scripting XSS. This vulnerability is exploitable if an attacker has control over data that is rendered by mdt-row Recommendation As there is no fix for this vulnerability at this time we recommend either selecting another package...

Cross-Site Scripting

Overview Versions of buefy prior to 0.7.2 are vulnerable to Cross-Site Scripting, allowing attackers to manipulate the DOM and execute remote code. The autocomplete list renders user input as HTML without encoding. Recommendation Upgrade to version 0.7.2 or later. References - GitHub Issue - GitH...