Sspa Node Module
by Hackerone
Source repositories
CVEs (26)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10518 | Hig | 0.42 | 7.5 | 0.02 | May 31, 2018 | A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly… | ||
| CVE-2017-16224 | Med | 0.40 | 6.1 | 0.01 | Jun 7, 2018 | st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most… | ||
| CVE-2017-16043 | Med | 0.40 | 6.1 | 0.01 | Jun 4, 2018 | Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3. | ||
| CVE-2018-3718 | Med | 0.35 | 5.3 | 0.01 | Jun 7, 2018 | serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded. | ||
| CVE-2018-3712 | Med | 0.35 | 6.5 | 0.02 | Jun 7, 2018 | serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path. | ||
| CVE-2016-10549 | Med | 0.22 | 4.4 | 0.01 | May 31, 2018 | Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to… |
- risk 0.42cvss 7.5epss 0.02
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly…
- risk 0.40cvss 6.1epss 0.01
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most…
- risk 0.40cvss 6.1epss 0.01
Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3.
- risk 0.35cvss 5.3epss 0.01
serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.
- risk 0.35cvss 6.5epss 0.02
serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.
- risk 0.22cvss 4.4epss 0.01
Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to…
Page 2 of 2