Lucene search
+L
NodejsRecent

1635 matches found

Node.js
Node.js
•added 2015/10/17 7:41 p.m.•28 views

Denial of Service

Overview Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value. When an invalid encryped session cookie value is provided, the process will crash. Recommendation Update to version 2.2.0 or later. References - Issue 34...

4.6AI score0.02591EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•67 views

methodOverride Middleware Reflected Cross-Site Scripting

Overview Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "method" post key or with the header "x-http-method-override". Because the user post input was not...

4.3CVSS0.9AI score0.01435EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•68 views

Denial-of-Service Extended Event Loop Blocking

Overview Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string. Recommendation Update to version 1.0.0 or later References GitHub Advisory...

5CVSS4.8AI score0.01286EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•26 views

Directory Traversal

Overview Versions 0.1.4 and earlier of fancy-server are vulnerable to a directory traversal attack. Standard attack vectors such as ../ will allow an attacker to read files outside of the served directory. Recommendation Upgrade to version 0.1.4 or greater. References -...

5CVSS3.4AI score0.01606EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•42 views

Arbitrary JavaScript Execution

Overview A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater. References - Commit b751602 - GitHub Advisory...

10CVSS6.3AI score0.78582EPSS
Exploits6Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•34 views

File Descriptor Leak Can Cause DoS Vulnerability

Overview Versions 2.0.x and 2.1.x of hapi are vulnerable to a denial of service attack via a file descriptor leak. When triggered repeatedly, this leak will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the proces...

5CVSS1.6AI score0.02374EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•375 views

Multiple XSS Filter Bypasses

Overview Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the denylist-based filter. Proof of Concept Various inputs that could bypass the filter were discovered: Improper parsing of nested tags: This is a test...

4.3CVSS0.7AI score0.02048EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•47 views

Unauthenticated Remote Command Injection

Overview epimageconvert is a plugin for Etherpad Lite. epimageconvert = 0.0.2 is vulnerable to remote command injection. Authentication is not required for remote exploitation. Recommendation Update to version 0.0.3 or greater. References - PR 5 - GitHub Advisory...

7.5CVSS4.9AI score0.04627EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•68 views

Rosetta-Flash JSONP Vulnerability

Overview This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to...

4.3CVSS1.3AI score0.23024EPSS
Exploits4Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•39 views

Cross-Site Scripting

Overview Versions 1.6.2 and earlier of serve-index are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module's HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack o...

4.3CVSS2.4AI score0.02477EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•166 views

VBScript Content Injection

Overview Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set. Proof of Concept IE10 Compatibility Mode Only xss link will get a link xss link Recommendation Update to version 0.3.3 or later. References - Issue 492 - GitHub Advis...

4.3CVSS2.8AI score0.02051EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•34 views

Directory Traversal

Overview Versions of st prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused %2e to be interpreted as . by the filesystem, resulting the potential for an attacker to read sensitive files on the server...

5CVSS3.9AI score0.34012EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•46 views

CSRF Vulnerability

Overview Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribut...

5CVSS1.7AI score0.04397EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•38 views

Verification Bypass

Overview Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm. Recommendation Update to version 4.2.2 or later...

7.5CVSS3AI score0.08655EPSS
Exploits3Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•32 views

Potential Command Injection

Overview Versions 2.4.3 and earlier of hubot-scripts are vulnerable to a command injection vulnerablity in the hubot-scripts/package/src/scripts/email.coffee module. Mitigating Factors The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts...

7.5CVSS2.9AI score0.02685EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•49 views

Regular Expression Denial of Service

Overview Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Recommendation Update to version 4.3.2 or later References - Regular Expression Denial of Service - OWASP - GitHub Advisory...

7.8CVSS5.8AI score0.06488EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•25 views

Directory Traversal

Overview All versions of the static file server module nhouston are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory. Recommendation It is recommended that a different module be used, as we have been unable to reacher the...

3.1AI score0.00778EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•38 views

API Admin Auth Weakness

Overview Versions of tomato prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex...

6.8CVSS1AI score0.02464EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•48 views

LDAP Injection

Overview Versions 2.2.4 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation ldapauth is not actively maintained, having not seen a publish since 2014. As a result...

5CVSS3.9AI score0.02117EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•28 views

Hidden Directories Always Served

Overview Versions 1.1.1 and earlier of inert are vulnerable to an information leakage vulnerability which causes files in hidden directories to be served, even when showHidden is false. The inert directory handler always allows files in hidden directories to be served, even when showHidden is...

5CVSS2.3AI score0.01933EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•45 views

Denial-of-Service Memory Exhaustion

Overview Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing. Recommendation Update to version 1.0...

5CVSS3.1AI score0.08309EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•138 views

Incorrect Handling of Non-Boolean Comparisons During Minification

Overview Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification. Recommendation Upgrade UglifyJS to version = 2.4.24. References - Backdooring JS - Yan Zhu@bcrypt - Issue 751 - GitHub Advisory...

7.5CVSS2.5AI score0.03559EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•22 views

SQL Injection

Overview Versions 2.0.0-rc-7 and earlier of sequelize are affected by a SQL injection vulnerability when user input is passed into the order parameter. Proof of Concept javascript Test.findAndCountAll where: id :1 , order : 'id', 'UNTRUSTED USER INPUT' Recommendation Update to version 2.0.0-rc8 o...

7.5CVSS3.3AI score0.02115EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•31 views

Validation Bypass

Overview Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability. paypal-ipn uses the testipn parameter which is set by the PayPal IPN simulator to determine if it should use the production PayPal site or the sandbox. A motivated attacker could craft a request...

4.3CVSS2.9AI score0.01169EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•78 views

Cross-Site Scripting

Overview Cross-site scripting XSS vulnerability in the DataTables plugin 1.10.8 and earlier for jQuery allows remote attackers to inject arbitrary web script or HTML via the scripts parameter to media/unittesting/templates/6776.php. Recommendation Update to a version greater than 1.10.8. Referenc...

4.3CVSS3.7AI score0.02679EPSS
Exploits2Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•51 views

Potential Command Injection

Overview Versions 0.0.1 and earlier of printer are affected by a command injection vulnerability resulting from a failure to sanitize command arguments properly in the printDirect function. Recommendation Update to version 0.0.2 or later. References - Commit e001e38 - GitHub Advisory...

7.5CVSS5.1AI score0.03826EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•29 views

Content Injection

Overview Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly deny link protocols, and consequently allowed javascript: to be used. Proof of Concept Markdown Source: link Rendered HTML...

4.3CVSS1.6AI score0.00973EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•34 views

Directory Traversal

Overview Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For...

7.5CVSS3.6AI score0.04257EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•45 views

No Charset in Content-Type Header

Overview Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standa...

4.3CVSS1.6AI score0.01135EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•35 views

Potential for Script Injection

Overview Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified. Recommendation Update to version 1.1.1 or later. References - Browserify 4.2.1 Update - GitHub Advisory...

10CVSS5.6AI score0.13441EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•36 views

Directory Traversal

Overview Versions 13.0.8 and earlier of geddy are vulnerable to a directory traversal attack via URI encoded attack vectors. Proof of Concept http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd Recommendation Update geddy to version =...

5CVSS2.6AI score0.09385EPSS
Exploits1Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•54 views

Deserialization Code Execution

Overview Versions 2.0.4 and earlier of js-yaml are affected by a code execution vulnerability in the YAML deserializer. Proof of Concept const yaml = require'js-yaml'; const x = test: !!js/function function f console.log1; ; yaml.loadx; Recommendation Update js-yaml to version 2.0.5 or later, and...

6.8CVSS5.6AI score0.17186EPSS
Exploits7Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•37 views

Multiple Content Injection Vulnerabilities

Overview Versions 0.3.0 and earlier of marked are affected by two cross-site scripting vulnerabilities, even when sanitize: true is set. The attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs. Recommendation Upgrade to version 0.3.1 or later. References GitHub Advisory...

4.3CVSS3.2AI score0.01715EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2015/10/17 7:41 p.m.•37 views

Heap Based Buffer Overflow

Overview Versions 0.2.2 and earlier depend on native libyaml version 0.1.5 or earlier. As such, they are affected by a heap-based buffer overflow vulnerability that may result in a crash or arbitrary code execution when parsing YAML tags. Recommendation - Update to version 0.2.3 that includes a...

6.8CVSS5.3AI score0.09312EPSS
Exploits0Affected Software1
Node.js
Node.js
•added 2014/11/12 3:33 a.m.•23 views

Command Injection

Overview The dns-sync library for node.js allows resolving hostnames in a synchronous fashion All versions of dns-sync prior to the release 0.1.1 were vulnerable to arbitrary command execution via maliciously formed hostnames. For example: var dnsSync = require'dns-sync';...

6.5CVSS7.1AI score
Exploits0Affected Software1
Total number of security vulnerabilities1635