Malicious Package

Overview Version 0.0.4 of dossier contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.4 of this module is found installed you...

Malicious Package

Overview Version 1.0.2 of csstransformsupport contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...

Malicious Package

Overview Version 1.0.6 of csstransformstep contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.6 of this module is found...

Malicious Package

Overview Version 1.0.910 of cordova-plugin-china-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.910 of this modul...

Malicious Package

Overview Version 1.7.5 of coffee-project contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.7.5 of this module is found...

Malicious Package

Overview Version 0.3.1 of codify contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.3.1 of this module is found installed you...

Malicious Package

Overview Version 0.0.4 of blingjs contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.4 of this module is found installed you...

Malicious Package

Overview Version 1.0.2 of awesomereactutility contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...

Malicious Package

Overview Version 4.1.48 of another-date-range-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 4.1.48 of this module is...

Malicious Package

Overview Version 2.0.43 of another-date-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 2.0.43 of this module is found...

Malicious Package

Overview Version 0.1.1 of angular-material-sidenav-rnd contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.1.1 of this module i...

Malicious Package

Overview Version 0.0.9 of angular-bmap contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.9 of this module is found installe...

Malicious Package

Overview Version 1.0.3 of @impala/bmap contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.3 of this module is found installe...

Prototype Pollution

Overview Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Recommendation Update to version 0.5.1 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of deap before 1.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.0.1 or later. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview Versions of glance before 3.0.8 are vulnerable to Stored Cross-Site Scripting XSS. This is only exploitable if the attacker is able to control the name of a file that is served by the glance package. Recommendation Upgrade to version 3.0.8 or later. References - HackerOne Report - GitHub...

Cross-Site Scripting

Overview All versions of public are vulnerable to stored cross-site scripting XSS. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview All versions of bracket-template are vulnerable to stored cross-site scripting XSS. This is exploitable when a variable passed in via a GET parameter is used in a template. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use...

Denial of Service

Overview Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer. Recommendation Update to version 2.1.0 or later. References -...

Regular Expression Denial of Service

Overview Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys. Recommendation Update to version 1.13.2, 1.14.1 or later. References - https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.jsL17 -...

Denial of Service

Overview Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to denial of service when parsing crafted invalid .proto files. Recommendation Update to version 5.0.3, 6.8.6 or later. References - https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.jsL27 - HackerOne Report - GitHub...

Command Injection

Overview Versions of whereis before 0.4.1 are vulnerable to command injection if untrusted user input is passed into whereis. Recommendation Update to version 0.4.1 or later. References - HackerOne Report - GitHub Commit 0f64e37 - GitHub Advisory...

Cross-Site Scripting

Overview Versions of metascraper prior to 5.3.0 are vulnerable to stored cross-site scripting XSS. Recommendation Upgrade to version 5.3.0 or later. References - HackerOne Report - GitHub Advisory...

Remote Memory Exposure

Overview Versions of mysql before 2.14.0 are vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw...

Remote Memory Exposure

Overview Versions of floody before 0.1.1 are vulnerable to remote memory exposure. .writenumber in the affected floody versions passes a number to Buffer constructor, appending a chunk of uninitialized memory. Proof of Concept: var f = require'floody'process.stdout; f.writeUSERSUPPLIEDINPUT;...

Remote Memory Exposure

Overview Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure. When a number is passed to apikey, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header base64-encoded. Proof of concept: js var openwhisk =...

Remote Memory Exposure

Overview Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 ...

Memory Exposure

Overview Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: js require'request' method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy: protocol: 'http:',...

Memory Exposure

Overview Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write Versions 1.3.0 are not affected due to not using unguarded Buffer constructor. Recommendation Update to version 1.5.2, 1.4.11, 1.3.2 or later. If you are unable to update...

Memory Exposure

Overview Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.appendnumber in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory Recommendation Update to version 0.9.5, 1.0.1 or later. References - GitHub PR 22 - GitHub...

Cross-Site Scripting

Overview Versions of simple-server before 1.1.0 are vulnerable to stored cross-site scripting XSS. This is exploitable if an attacker can control a filename on the server. Recommendation Update to version 1.1.0 or later. References - HackerOne Report...

Byass due to validation before canonicalization

Overview Versions of serve before 6.5.2 are vulnerable to the bypass of the ignore functionality. The bypass is possible because validation happens before canonicalization of paths and filenames. Example: Here we have a server that ignores the file test.txt. const serve = require'serve' const...

Denial of Service

Overview Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options proxy.auth being passed to Buffer. Recommendation Update to version 2.2.0 or later. References - index.js Line 207 - HackerOne Report - GitHub Advisory...

Path Traversal

Overview All versions of general-file-server are vulnerable to path traversal. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not use this module until a fix has been provided. References - HackerOne Report - GitHub Advisory...

Path Traversal

Overview Versions of stattic before 0.3.0 are vulnerable to path traversal allowing a remote attacker to read arbitrary files with any extension from the server that users stattic. Recommendation Update to version 0.3.0 or later. References - HackerOne Report - GitHub Advisory...

Path Traversal

Overview Versions of glance before 3.0.4 are vulnerable to path traversal allowing a remote attacker to read arbitrary files from the server using glance. Recommendation Update to version 3.0.4 or later. References - GitHub Commit 8cfd88e - HackerOne Report - GitHub Advisory...

Path Traversal

Overview Versions of angular-http-server before 1.4.3 are vulnerable to path traversal allowing a remote attacker to read files from the server that uses angular-http-server. Recommendation Update to version 1.6.0 or later. Note: This was originally thought to be fixed in version 1.4.3, though...

Path Traversal

Overview Versions of node-srv before 2.1.1 are vulnerable to path traversal allowing a remote attacker to read files from the server that uses node-srv. Recommendation Update to version 2.1.1 or later. References - HackerOne Report - GitHub Advisory...

Cross-Site Scripting

Overview Versions of mrk.js before 2.0.1 are vulnerable to cross-site scripting XSS when markdown is converted to HTML. Recommendation Update to version 2.0.1 or later and use mark.sanitizeURL for any src and href attributes when extending the markdown. References - GitHub PR 3 - GitHub Advisory...

Path Traversal

Overview Versions of hekto before 0.2.3 are vulnerable to path traversal. This allows a remote attacker to read content of arbitrary files. Recommendation Update to version 0.2.3 or later. References - HackerOne Report - GitHub Advisory...

Stored Cross-Site Scripting

Overview All versions of simplehttpserver are vulnerable to stored cross-site scripting XSS. To be exploited an attacker needs to control the filename of a file that is used in the directory listing output. Recommendation No fix is currently available for this vulnerability. It is our...

Cross-Site Scripting

Overview Versions of anywhere before 1.5.0 are vulnerable to cross-site scripting XSS. Recommendation Update to version 1.5.0 or later. References - GitHub Issue 33 - HackerOne Report - GitHub Advisory...

Path Traversal

Overview All versions of 626 are vulnerable to path traversal. This enables a remote attacker to read arbitrary files from the remote server using this module. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this...

Path Traversal

Overview Versions of localhost-now before 1.0.2 are vulnerable to path traversal. This allows a remote attacker to read the content of an arbitrary file. Recommendation Update to version 1.0.2 or later. References - GitHub Commit 30b004c - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of default-deep before 0.2.4 are vulnerable to prototype pollution Recommendation Update to version 0.2.4 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of merge-deep before 3.0.1 are vulnerable to prototype pollution via merging functions. Recommendation Update to version 3.0.1 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of assign-deep before 0.4.7 are vulnerable to prototype pollution via merging functions. Recommendation Update to version 0.4.7 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of mixin-deep before 1.3.1 are vulnerable to prototype pollution via merging functions. Recommendation Update to version 1.3.1 or later. References - HackerOne Report - GitHub Advisory...

Prototype Pollution

Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will...

Cross-Site Scripting

Overview Versions of html-janitor prior to 2.0.2 all current versions are vulnerable to cross-site scripting XSS. This is exploitable if user-controlled data is passed into the modules clean function. Recommendation No fix is currently available for this vulnerability. It is recommended to use an...