VYPR

Curses Node Module

by Hackerone

Source repositories

CVEs (6)

  • CVE-2016-10615HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.02

    curses is bindings for the native curses library, a full featured console IO library. curses downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an…

  • CVE-2016-10590HigMay 29, 2018
    risk 0.53cvss 8.1epss 0.02

    cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip…

  • CVE-2017-16122HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16098HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact…

  • CVE-2016-10543MedMay 31, 2018
    risk 0.35cvss 5.3epss 0.01

    call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules.

  • CVE-2017-16025MedJun 4, 2018
    risk 0.32cvss 5.9epss 0.02

    Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid…