Uri Js Node Module
by Hackerone
CVEs (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10678 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is… | ||
| CVE-2016-10610 | Hig | 0.53 | 8.1 | 0.01 | Jun 1, 2018 | unicode-json is a unicode lookup table. unicode-json before 2.0.0 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2017-16093 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16076 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16056 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16053 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16045 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16044 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2016-10608 | Hig | 0.49 | 7.5 | 0.02 | Jun 1, 2018 | robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled… | ||
| CVE-2016-10638 | Hig | 0.46 | 8.1 | 0.02 | Jun 4, 2018 | js-given is a JavaScript frontend to jgiven. js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker… | ||
| CVE-2017-16021 | Med | 0.42 | 6.5 | 0.01 | Jun 4, 2018 | uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU… | ||
| CVE-2017-16007 | Med | 0.31 | 5.9 | 0.01 | Jun 4, 2018 | node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key… | ||
| CVE-2016-10544 | Med | 0.31 | 5.9 | 0.01 | May 31, 2018 | uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb… | ||
| CVE-2017-16022 | Med | 0.00 | 6.1 | 0.01 | Jun 4, 2018 | Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that… |
- risk 0.53cvss 8.1epss 0.02
serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is…
- risk 0.53cvss 8.1epss 0.01
unicode-json is a unicode lookup table. unicode-json before 2.0.0 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.49cvss 7.5epss 0.02
cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.01
proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.02
robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…
- risk 0.46cvss 8.1epss 0.02
js-given is a JavaScript frontend to jgiven. js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker…
- risk 0.42cvss 6.5epss 0.01
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU…
- risk 0.31cvss 5.9epss 0.01
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key…
- risk 0.31cvss 5.9epss 0.01
uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb…
- risk 0.00cvss 6.1epss 0.01
Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that…