Sspa Node Module
by Hackerone
Source repositories
CVEs (26)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16082 | Cri | 0.65 | 9.8 | 0.11 | Jun 7, 2018 | A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a… | ||
| CVE-2017-16020 | Cri | 0.64 | 9.8 | 0.03 | Jun 4, 2018 | Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name. | ||
| CVE-2016-10669 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | soci downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the… | ||
| CVE-2016-10656 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | qbs is a build tool that helps simplify the build process for developing projects across multiple platforms. qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the… | ||
| CVE-2016-10542 | Hig | 0.52 | 7.5 | 0.08 | May 31, 2018 | ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier. | ||
| CVE-2018-3727 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | 626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path. | ||
| CVE-2017-16223 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16212 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | ltt is a static file server. ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16199 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | susu-sum is a static file server. susu-sum is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16193 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | mfrs is a static file server. mfrs is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16189 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | sly07 is an API for censoring text. sly07 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16145 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | sspa is a server dedicated to single-page apps. sspa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16117 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds. | ||
| CVE-2017-16116 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. | ||
| CVE-2017-16079 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2014-10064 | Hig | 0.49 | 7.5 | 0.01 | May 31, 2018 | The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service… | ||
| CVE-2016-10588 | Hig | 0.46 | 8.1 | 0.02 | Jun 1, 2018 | nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the… | ||
| CVE-2018-3714 | Med | 0.43 | 6.5 | 0.09 | Jun 7, 2018 | node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path. | ||
| CVE-2018-3737 | Hig | 0.42 | 7.5 | 0.02 | Jun 7, 2018 | sshpk is vulnerable to ReDoS when parsing crafted invalid public keys. | ||
| CVE-2017-16138 | Hig | 0.42 | 7.5 | 0.02 | Jun 7, 2018 | The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. |
- risk 0.65cvss 9.8epss 0.11
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a…
- risk 0.64cvss 9.8epss 0.03
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.
- risk 0.53cvss 8.1epss 0.02
soci downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the…
- risk 0.53cvss 8.1epss 0.02
qbs is a build tool that helps simplify the build process for developing projects across multiple platforms. qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…
- risk 0.52cvss 7.5epss 0.08
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
- risk 0.49cvss 7.5epss 0.02
626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
- risk 0.49cvss 7.5epss 0.02
nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
ltt is a static file server. ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
susu-sum is a static file server. susu-sum is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
mfrs is a static file server. mfrs is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
sly07 is an API for censoring text. sly07 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
sspa is a server dedicated to single-page apps. sspa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
- risk 0.49cvss 7.5epss 0.02
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
- risk 0.49cvss 7.5epss 0.01
smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service…
- risk 0.46cvss 8.1epss 0.02
nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the…
- risk 0.43cvss 6.5epss 0.09
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
- risk 0.42cvss 7.5epss 0.02
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
- risk 0.42cvss 7.5epss 0.02
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Page 1 of 2