npm package
valine
pkg:npm/valine
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-38545 | — | < 1.5.0 | 1.5.0 | Sep 19, 2022 | Valine v1.4.18 was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request. | ||
| CVE-2020-28847 | — | < 1.4.15 | 1.4.15 | Apr 5, 2022 | Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment. | ||
| CVE-2021-34801 | — | <= 1.4.14 | — | Jun 16, 2021 | Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version. | ||
| CVE-2018-19289 | — | < 1.3.4 | 1.3.4 | Nov 15, 2018 | An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file. |
- CVE-2022-38545Sep 19, 2022affected < 1.5.0fixed 1.5.0
Valine v1.4.18 was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request.
- CVE-2020-28847Apr 5, 2022affected < 1.4.15fixed 1.4.15
Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment.
- CVE-2021-34801Jun 16, 2021affected <= 1.4.14
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
- CVE-2018-19289Nov 15, 2018affected < 1.3.4fixed 1.3.4
An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file.