1635 matches found
Hidden Directories Always Served
Overview Versions 1.1.1 and earlier of inert are vulnerable to an information leakage vulnerability which causes files in hidden directories to be served, even when showHidden is false. The inert directory handler always allows files in hidden directories to be served, even when showHidden is...
Open Redirect
Overview Versions of serve-static prior to 1.6.5 or 1.7.x prior to 1.7.2 are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory. Proof of Concept A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e So...
Directory Traversal
Overview Versions 0.1.4 and earlier of fancy-server are vulnerable to a directory traversal attack. Standard attack vectors such as ../ will allow an attacker to read files outside of the served directory. Recommendation Upgrade to version 0.1.4 or greater. References -...
Directory Traversal
Overview Versions 13.0.8 and earlier of geddy are vulnerable to a directory traversal attack via URI encoded attack vectors. Proof of Concept http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd Recommendation Update geddy to version =...
XSS Filter Bypass via Encoded URL
Overview Versions of validator prior to 2.0.0 contained an xss filter method that is affected by several filter bypasses. This may result in a cross-site scripting vulnerability. Proof of Concept The xss function removes the word "javascript" when contained inside an attribute. However, it does n...
Potential Command Injection
Overview Versions 2.4.3 and earlier of hubot-scripts are vulnerable to a command injection vulnerablity in the hubot-scripts/package/src/scripts/email.coffee module. Mitigating Factors The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts...
CSRF Vulnerability
Overview Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribut...
Command Injection
Overview Versions of ungit prior to 0.9.0 are affected by a command injection vulnerability in the url parameter. Recommendation Update version 0.9.0 or later. References - Issue 486 - GitHub Advisory...
Incorrect Handling of Non-Boolean Comparisons During Minification
Overview Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification. Recommendation Upgrade UglifyJS to version = 2.4.24. References - Backdooring JS - Yan Zhu@bcrypt - Issue 751 - GitHub Advisory...
Verification Bypass
Overview Versions 4.2.1 and earlier of jsonwebtoken are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm. Recommendation Update to version 4.2.2 or later...
Directory Traversal
Overview Versions of st prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused %2e to be interpreted as . by the filesystem, resulting the potential for an attacker to read sensitive files on the server...
File Descriptor Leak Can Cause DoS Vulnerability
Overview Versions 2.0.x and 2.1.x of hapi are vulnerable to a denial of service attack via a file descriptor leak. When triggered repeatedly, this leak will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the proces...
Potential Command Injection
Overview Versions 1.0.3 and earlier of libnotify are affected by a shell command injection vulnerability. This may result in execution of arbitrary shell commands, if user input is passed into libnotify.notify. Untrusted input passed in the call to libnotify.notify could result in execution of...
Unauthenticated Remote Command Injection
Overview epimageconvert is a plugin for Etherpad Lite. epimageconvert = 0.0.2 is vulnerable to remote command injection. Authentication is not required for remote exploitation. Recommendation Update to version 0.0.3 or greater. References - PR 5 - GitHub Advisory...
Regular Expression Denial of Service
Overview Versions of validator prior to 3.22.1 are affected by a regular expression denial of service vulnerability in the isURL method. Recommendation Update to version 3.22.1 or later. References - Issue 152, Comment 48107184 - GitHub Advisory...
VBScript Content Injection
Overview Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set. Proof of Concept IE10 Compatibility Mode Only xss link will get a link xss link Recommendation Update to version 0.3.3 or later. References - Issue 492 - GitHub Advis...
Validation Bypass
Overview Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability. paypal-ipn uses the testipn parameter which is set by the PayPal IPN simulator to determine if it should use the production PayPal site or the sandbox. A motivated attacker could craft a request...
API Admin Auth Weakness
Overview Versions of tomato prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex...
Potential for Script Injection
Overview Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified. Recommendation Update to version 1.1.1 or later. References - Browserify 4.2.1 Update - GitHub Advisory...
No Charset in Content-Type Header
Overview Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standa...
Content Injection
Overview Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly deny link protocols, and consequently allowed javascript: to be used. Proof of Concept Markdown Source: link Rendered HTML...
LDAP Injection
Overview Versions 2.2.4 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation ldapauth is not actively maintained, having not seen a publish since 2014. As a result...
Multiple XSS Filter Bypasses
Overview Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the denylist-based filter. Proof of Concept Various inputs that could bypass the filter were discovered: Improper parsing of nested tags: This is a test...
Potential Command Injection
Overview When the ffprobe functionality is enabled on the server, HTTP POST requests can be made to /probe. These requests are passed to the ffprobe binary on the server. Through this HTTP endpoint it is possible to send a malformed source file name to ffprobe that results in arbitrary command...
Regular Expression Denial of Service
Overview Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Recommendation Update to version 4.3.2 or later References - Regular Expression Denial of Service - OWASP - GitHub Advisory...
CORS Token Disclosure
Overview When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly...
Directory Traversal
Overview Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For...
Heap Based Buffer Overflow
Overview Versions 0.2.2 and earlier depend on native libyaml version 0.1.5 or earlier. As such, they are affected by a heap-based buffer overflow vulnerability that may result in a crash or arbitrary code execution when parsing YAML tags. Recommendation - Update to version 0.2.3 that includes a...
Regular Expression Denial of Service
Overview Versions 0.3.3 and earlier of marked are affected by a regular expression denial of service ReDoS vulnerability when passed inputs that reach the em inline rule. Recommendation Update to version 0.3.4 or later. References - Regular Expression Denial of Service - OWASP - Issue 497 - GitHu...
Rosetta-Flash JSONP Vulnerability
Overview This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to...
Arbitrary JavaScript Execution
Overview A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater. References - Commit b751602 - GitHub Advisory...
Directory Traversal
Overview All versions of the static file server module nhouston are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory. Recommendation It is recommended that a different module be used, as we have been unable to reacher the...
Multiple Content Injection Vulnerabilities
Overview Versions 0.3.0 and earlier of marked are affected by two cross-site scripting vulnerabilities, even when sanitize: true is set. The attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs. Recommendation Upgrade to version 0.3.1 or later. References GitHub Advisory...
LDAP Injection
Overview Versions 2.3.2 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter. Recommendation Update to ldapauth-fork version 2.3.3 or later. References -...
Command Injection
Overview The dns-sync library for node.js allows resolving hostnames in a synchronous fashion All versions of dns-sync prior to the release 0.1.1 were vulnerable to arbitrary command execution via maliciously formed hostnames. For example: var dnsSync = require'dns-sync';...