VYPR

Sspa Node Module

by Hackerone

Source repositories

CVEs (26)

  • CVE-2017-16082CriJun 7, 2018
    risk 0.65cvss 9.8epss 0.11

    A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a…

  • CVE-2017-16020CriJun 4, 2018
    risk 0.64cvss 9.8epss 0.03

    Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.

  • CVE-2016-10669HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    soci downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the…

  • CVE-2016-10656HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    qbs is a build tool that helps simplify the build process for developing projects across multiple platforms. qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…

  • CVE-2016-10542HigMay 31, 2018
    risk 0.52cvss 7.5epss 0.08

    ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

  • CVE-2018-3727HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.

  • CVE-2017-16223HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16212HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    ltt is a static file server. ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16199HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    susu-sum is a static file server. susu-sum is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16193HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    mfrs is a static file server. mfrs is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16189HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    sly07 is an API for censoring text. sly07 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16145HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    sspa is a server dedicated to single-page apps. sspa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16117HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.

  • CVE-2017-16116HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

  • CVE-2017-16079HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2014-10064HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service…

  • CVE-2016-10588HigJun 1, 2018
    risk 0.46cvss 8.1epss 0.02

    nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the…

  • CVE-2018-3714MedJun 7, 2018
    risk 0.43cvss 6.5epss 0.09

    node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.

  • CVE-2018-3737HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

  • CVE-2017-16138HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Page 1 of 2