Unauthenticated Remote Command Injection

Overview epimageconvert is a plugin for Etherpad Lite. epimageconvert = 0.0.2 is vulnerable to remote command injection. Authentication is not required for remote exploitation. Recommendation Update to version 0.0.3 or greater. References - PR 5 - GitHub Advisory...

Potential Command Injection

Overview When the ffprobe functionality is enabled on the server, HTTP POST requests can be made to /probe. These requests are passed to the ffprobe binary on the server. Through this HTTP endpoint it is possible to send a malformed source file name to ffprobe that results in arbitrary command...

Cross-Site Scripting

Overview Cross-site scripting XSS vulnerability in the DataTables plugin 1.10.8 and earlier for jQuery allows remote attackers to inject arbitrary web script or HTML via the scripts parameter to media/unittesting/templates/6776.php. Recommendation Update to a version greater than 1.10.8. Referenc...

No Charset in Content-Type Header

Overview Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standa...

Potential Command Injection

Overview Versions 0.0.1 and earlier of printer are affected by a command injection vulnerability resulting from a failure to sanitize command arguments properly in the printDirect function. Recommendation Update to version 0.0.2 or later. References - Commit e001e38 - GitHub Advisory...

Directory Traversal

Overview Versions of st prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused %2e to be interpreted as . by the filesystem, resulting the potential for an attacker to read sensitive files on the server...

SQL Injection

Overview Versions 2.0.0-rc-7 and earlier of sequelize are affected by a SQL injection vulnerability when user input is passed into the order parameter. Proof of Concept javascript Test.findAndCountAll where: id :1 , order : 'id', 'UNTRUSTED USER INPUT' Recommendation Update to version 2.0.0-rc8 o...

Potential Command Injection

Overview Versions 2.4.3 and earlier of hubot-scripts are vulnerable to a command injection vulnerablity in the hubot-scripts/package/src/scripts/email.coffee module. Mitigating Factors The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts...

Arbitrary JavaScript Execution

Overview A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater. References - Commit b751602 - GitHub Advisory...

CSRF Vulnerability

Overview Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribut...

Potential Command Injection

Overview Versions 1.0.3 and earlier of libnotify are affected by a shell command injection vulnerability. This may result in execution of arbitrary shell commands, if user input is passed into libnotify.notify. Untrusted input passed in the call to libnotify.notify could result in execution of...

Deserialization Code Execution

Overview Versions 2.0.4 and earlier of js-yaml are affected by a code execution vulnerability in the YAML deserializer. Proof of Concept const yaml = require'js-yaml'; const x = test: !!js/function function f console.log1; ; yaml.loadx; Recommendation Update js-yaml to version 2.0.5 or later, and...

API Admin Auth Weakness

Overview Versions of tomato prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex...

Denial-of-Service Extended Event Loop Blocking

Overview Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string. Recommendation Update to version 1.0.0 or later References GitHub Advisory...

Open Redirect

Overview Versions of serve-static prior to 1.6.5 or 1.7.x prior to 1.7.2 are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory. Proof of Concept A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e So...

LDAP Injection

Overview Versions 2.2.4 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation ldapauth is not actively maintained, having not seen a publish since 2014. As a result...

Rosetta-Flash JSONP Vulnerability

Overview This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to...

Directory Traversal

Overview Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For...

Denial of Service

Overview Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value. When an invalid encryped session cookie value is provided, the process will crash. Recommendation Update to version 2.2.0 or later. References - Issue 34...

Content Injection

Overview Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly deny link protocols, and consequently allowed javascript: to be used. Proof of Concept Markdown Source: link Rendered HTML...

File Descriptor Leak Can Cause DoS Vulnerability

Overview Versions 2.0.x and 2.1.x of hapi are vulnerable to a denial of service attack via a file descriptor leak. When triggered repeatedly, this leak will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the proces...

methodOverride Middleware Reflected Cross-Site Scripting

Overview Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "method" post key or with the header "x-http-method-override". Because the user post input was not...

Potential for Script Injection

Overview Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified. Recommendation Update to version 1.1.1 or later. References - Browserify 4.2.1 Update - GitHub Advisory...

Denial-of-Service Memory Exhaustion

Overview Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing. Recommendation Update to version 1.0...

XSS Filter Bypass via Encoded URL

Overview Versions of validator prior to 2.0.0 contained an xss filter method that is affected by several filter bypasses. This may result in a cross-site scripting vulnerability. Proof of Concept The xss function removes the word "javascript" when contained inside an attribute. However, it does n...

CORS Token Disclosure

Overview When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly...

Multiple Content Injection Vulnerabilities

Overview Versions 0.3.0 and earlier of marked are affected by two cross-site scripting vulnerabilities, even when sanitize: true is set. The attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs. Recommendation Upgrade to version 0.3.1 or later. References GitHub Advisory...

Regular Expression Denial of Service

Overview Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Recommendation Update to version 4.3.2 or later References - Regular Expression Denial of Service - OWASP - GitHub Advisory...

VBScript Content Injection

Overview Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set. Proof of Concept IE10 Compatibility Mode Only xss link will get a link xss link Recommendation Update to version 0.3.3 or later. References - Issue 492 - GitHub Advis...

LDAP Injection

Overview Versions 2.3.2 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation Update to ldapauth-fork version 2.3.3 or later. References -...

Directory Traversal

Overview Versions 0.1.4 and earlier of fancy-server are vulnerable to a directory traversal attack. Standard attack vectors such as ../ will allow an attacker to read files outside of the served directory. Recommendation Upgrade to version 0.1.4 or greater. References -...

Command Injection

Overview Versions of ungit prior to 0.9.0 are affected by a command injection vulnerability in the url parameter. Recommendation Update version 0.9.0 or later. References - Issue 486 - GitHub Advisory...

Heap Based Buffer Overflow

Overview Versions 0.2.2 and earlier depend on native libyaml version 0.1.5 or earlier. As such, they are affected by a heap-based buffer overflow vulnerability that may result in a crash or arbitrary code execution when parsing YAML tags. Recommendation - Update to version 0.2.3 that includes a...

Regular Expression Denial of Service

Overview Versions 0.3.3 and earlier of marked are affected by a regular expression denial of service ReDoS vulnerability when passed inputs that reach the em inline rule. Recommendation Update to version 0.3.4 or later. References - Regular Expression Denial of Service - OWASP - Issue 497 - GitHu...

Command Injection

Overview The dns-sync library for node.js allows resolving hostnames in a synchronous fashion All versions of dns-sync prior to the release 0.1.1 were vulnerable to arbitrary command execution via maliciously formed hostnames. For example: var dnsSync = require'dns-sync';...