Lucene search

K

Npm Security Vulnerabilities

cve
cve

CVE-2021-32850

jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untrusted color names. This issue is patched in version...

6.1CVSS

5.7AI Score

0.001EPSS

2023-02-20 10:15 PM
45
cve
cve

CVE-2020-15095

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log...

4.4CVSS

5.7AI Score

0.0005EPSS

2020-07-07 07:15 PM
165
3
cve
cve

CVE-2021-39134

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected...

8.2CVSS

6.3AI Score

0.001EPSS

2021-08-31 05:15 PM
119
12
cve
cve

CVE-2021-39135

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected...

8.2CVSS

6.5AI Score

0.001EPSS

2021-08-31 05:15 PM
116
12
cve
cve

CVE-2019-16777

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of.....

7.7CVSS

6.6AI Score

0.002EPSS

2019-12-13 01:15 AM
303
2
cve
cve

CVE-2019-16776

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or...

8.1CVSS

7.8AI Score

0.001EPSS

2019-12-13 01:15 AM
148
2
cve
cve

CVE-2019-16775

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package...

7.7CVSS

6.8AI Score

0.002EPSS

2019-12-13 01:15 AM
192
2
cve
cve

CVE-2022-29080

The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a...

9.8CVSS

9.7AI Score

0.002EPSS

2022-04-12 05:15 AM
51
cve
cve

CVE-2023-31999

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to.....

8.8CVSS

8.6AI Score

0.001EPSS

2023-07-04 05:15 PM
2316
cve
cve

CVE-2021-32853

Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known...

9.6CVSS

8.8AI Score

0.041EPSS

2023-02-20 11:15 PM
32
cve
cve

CVE-2021-32854

textAngular is a text editor for Angular.js. Version 1.5.16 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. There are no known...

6.1CVSS

6AI Score

0.001EPSS

2023-02-21 03:15 PM
16
cve
cve

CVE-2021-32855

Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this...

6.1CVSS

5.9AI Score

0.001EPSS

2023-02-21 03:15 PM
11
cve
cve

CVE-2021-32860

iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. An attacker who is able to influence the field title when creating a iziModal instance is able to supply arbitrary html or javascript code that will be....

6.1CVSS

5.9AI Score

0.001EPSS

2023-02-21 03:15 PM
14
cve
cve

CVE-2021-32851

Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted menus. This issue is patched in version...

6.1CVSS

5.8AI Score

0.001EPSS

2023-02-20 10:15 PM
24
cve
cve

CVE-2021-37712

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part,...

8.6CVSS

7.4AI Score

0.001EPSS

2021-08-31 05:15 PM
225
22
cve
cve

CVE-2018-16472

A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS...

7.5CVSS

7.3AI Score

0.001EPSS

2018-11-06 07:29 PM
48
cve
cve

CVE-2021-37701

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part,...

8.6CVSS

7.3AI Score

0.001EPSS

2021-08-31 05:15 PM
204
4
cve
cve

CVE-2022-29244

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and ha...

7.5CVSS

8.3AI Score

0.002EPSS

2022-06-13 02:15 PM
111
7
cve
cve

CVE-2020-7795

The package get-npm-package-version before 1.0.7 are vulnerable to Command Injection via main function in...

9.8CVSS

9.6AI Score

0.002EPSS

2022-08-02 02:15 PM
24
3
cve
cve

CVE-2020-28445

This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion()...

9.8CVSS

9.6AI Score

0.002EPSS

2022-07-25 02:15 PM
22
3
cve
cve

CVE-2022-0841

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and...

9.8CVSS

9.7AI Score

0.003EPSS

2022-03-03 04:15 PM
67
cve
cve

CVE-2021-37713

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is,....

8.6CVSS

7.1AI Score

0.001EPSS

2021-08-31 05:15 PM
135
6
cve
cve

CVE-2021-32804

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when...

8.2CVSS

7.4AI Score

0.007EPSS

2021-08-03 07:15 PM
218
5
cve
cve

CVE-2021-32803

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is,...

8.2CVSS

7.3AI Score

0.007EPSS

2021-08-03 07:15 PM
249
5
cve
cve

CVE-2020-7614

npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function...

9.8CVSS

9.4AI Score

0.008EPSS

2020-04-07 02:15 PM
27
cve
cve

CVE-2019-5422

XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the...

6.1CVSS

6.1AI Score

0.001EPSS

2019-04-03 03:29 PM
27
cve
cve

CVE-2019-5423

Path traversal vulnerability in http-live-simulator npm package version 1.0.5 allows arbitrary path to be accessed on the file system by a remote...

7.5CVSS

7.4AI Score

0.01EPSS

2019-04-03 03:29 PM
27
cve
cve

CVE-2018-16202

Directory traversal vulnerability in cordova-plugin-ionic-webview versions prior to 2.2.0 (not including 2.0.0-beta.0, 2.0.0-beta.1, 2.0.0-beta.2, and 2.1.0-0) allows remote attackers to access arbitrary files via unspecified...

8.6CVSS

8.3AI Score

0.003EPSS

2019-01-09 11:29 PM
28
cve
cve

CVE-2018-16474

A stored xss in tianma-static module versions <=1.0.4 allows an attacker to execute arbitrary...

6.1CVSS

6.3AI Score

0.001EPSS

2018-11-06 07:29 PM
31
cve
cve

CVE-2018-16475

A Path Traversal in Knightjs versions <= 0.0.1 allows an attacker to read content of arbitrary files on a remote...

7.5CVSS

7.3AI Score

0.009EPSS

2018-11-06 07:29 PM
36
cve
cve

CVE-2018-16473

A path traversal in takeapeek module versions <=0.2.2 allows an attacker to list directory and...

5.3CVSS

5.1AI Score

0.001EPSS

2018-11-06 07:29 PM
29
cve
cve

CVE-2018-11615

This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash. An attacker....

7.5CVSS

7.4AI Score

0.965EPSS

2018-08-30 12:29 PM
32
cve
cve

CVE-2017-16132

simple-npm-registry is a local npm package cache. simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the...

7.5CVSS

7.3AI Score

0.004EPSS

2018-06-07 02:29 AM
32
cve
cve

CVE-2017-16128

The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm...

9.8CVSS

8.6AI Score

0.002EPSS

2018-06-07 02:29 AM
31