VYPR

Sspa Node Module

by Hackerone

Source repositories

CVEs (26)

  • CVE-2016-10518HigMay 31, 2018
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly…

  • CVE-2017-16224MedJun 7, 2018
    risk 0.40cvss 6.1epss 0.01

    st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most…

  • CVE-2017-16043MedJun 4, 2018
    risk 0.40cvss 6.1epss 0.01

    Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3.

  • CVE-2018-3718MedJun 7, 2018
    risk 0.35cvss 5.3epss 0.01

    serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.

  • CVE-2018-3712MedJun 7, 2018
    risk 0.35cvss 6.5epss 0.02

    serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.

  • CVE-2016-10549MedMay 31, 2018
    risk 0.22cvss 4.4epss 0.01

    Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to…

Page 2 of 2