VYPR

Uri Js Node Module

by Hackerone

CVEs (14)

  • CVE-2016-10678HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is…

  • CVE-2016-10610HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.01

    unicode-json is a unicode lookup table. unicode-json before 2.0.0 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2017-16093HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16076HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16056HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16053HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    `fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16045HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16044HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2016-10608HigJun 1, 2018
    risk 0.49cvss 7.5epss 0.02

    robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…

  • CVE-2016-10638HigJun 4, 2018
    risk 0.46cvss 8.1epss 0.02

    js-given is a JavaScript frontend to jgiven. js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker…

  • CVE-2017-16021MedJun 4, 2018
    risk 0.42cvss 6.5epss 0.01

    uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU…

  • CVE-2017-16007MedJun 4, 2018
    risk 0.31cvss 5.9epss 0.01

    node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key…

  • CVE-2016-10544MedMay 31, 2018
    risk 0.31cvss 5.9epss 0.01

    uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb…

  • CVE-2017-16022MedJun 4, 2018
    risk 0.00cvss 6.1epss 0.01

    Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that…