HackerOne Security Vulnerabilities
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property...
6.5CVSS
7.4AI Score
0.001EPSS
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100%...
6.5CVSS
6.3AI Score
0.001EPSS
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection...
9.8CVSS
9.7AI Score
0.002EPSS
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity...
5.3CVSS
5.2AI Score
0.003EPSS
atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and...
9.1CVSS
9.1AI Score
0.006EPSS
ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with...
6.1CVSS
6AI Score
0.002EPSS
Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not...
5.3CVSS
5.2AI Score
0.001EPSS
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local...
5.5CVSS
5.4AI Score
0.001EPSS
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known...
6.5CVSS
6.3AI Score
0.002EPSS
connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js...
5.4CVSS
5.1AI Score
0.001EPSS
angular-http-server node module suffers from a Path Traversal vulnerability due to lack of validation of possibleFilename, which allows a malicious user to read content of any file with known...
6.5CVSS
6.2AI Score
0.001EPSS
crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.002EPSS
7.5CVSS
7.5AI Score
0.009EPSS
assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all...
8.8CVSS
8.6AI Score
0.001EPSS
XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with element used in directory...
6.1CVSS
6AI Score
0.001EPSS
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit...
5.3CVSS
5.2AI Score
0.001EPSS
resolve-path node module before 1.4.0 suffers from a Path Traversal vulnerability due to lack of validation of paths with certain special characters, which allows a malicious user to read content of any file with known...
7.5CVSS
7.4AI Score
0.003EPSS
626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.004EPSS
serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL...
5.3CVSS
5.2AI Score
0.001EPSS
Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large...
7.5CVSS
7.4AI Score
0.001EPSS
localhost-now node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.004EPSS
mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all...
8.8CVSS
8.4AI Score
0.001EPSS
Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor...
8.8CVSS
8.7AI Score
0.001EPSS
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code...
9.8CVSS
9.6AI Score
0.008EPSS
hekto node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.004EPSS
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with...
9.8CVSS
9.4AI Score
0.005EPSS
glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known...
6.5CVSS
6.2AI Score
0.001EPSS
The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's...
9.8CVSS
9.8AI Score
0.004EPSS
Open redirect in hekto <=0.2.3 when target domain name is used as html filename on...
6.1CVSS
6.2AI Score
0.001EPSS
simplehttpserver node module suffers from a Cross-Site Scripting vulnerability to a lack of validation of file...
5.4CVSS
5.2AI Score
0.001EPSS
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting...
8.8CVSS
8.6AI Score
0.001EPSS
public node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.004EPSS
stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.003EPSS
mcstatic node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known...
7.5CVSS
7.3AI Score
0.004EPSS
bracket-template suffers from reflected XSS possible when variable passed via GET parameter is used in...
6.1CVSS
6AI Score
0.001EPSS
crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file...
6.1CVSS
5.9AI Score
0.001EPSS
5.5CVSS
5.4AI Score
0.001EPSS
7.5CVSS
7.4AI Score
0.002EPSS
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the...
6.1CVSS
5.9AI Score
0.001EPSS
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification...
7.5CVSS
7.2AI Score
0.003EPSS
A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder...
5.4CVSS
5.2AI Score
0.001EPSS
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of...
5.6CVSS
6.3AI Score
0.001EPSS
Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL...
6.5CVSS
6.4AI Score
0.001EPSS
A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its...
9.8CVSS
9.2AI Score
0.004EPSS
A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto...
9.8CVSS
9.2AI Score
0.004EPSS
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto...
9.8CVSS
9.2AI Score
0.004EPSS
A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the...
7.5CVSS
7.2AI Score
0.009EPSS
A server directory traversal vulnerability was found on node module mcstatic <=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL...
7.5CVSS
7.3AI Score
0.002EPSS
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as...
8.8CVSS
8.6AI Score
0.001EPSS
Path traversal vulnerability in http-live-simulator <1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the...
7.5CVSS
7.5AI Score
0.004EPSS