Ibapi Node Module
by Hackerone
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10594 | Hig | 0.53 | 8.1 | 0.01 | Jun 1, 2018 | ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2016-10593 | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled… | ||
| CVE-2017-16013 | Hig | 0.49 | 7.5 | 0.02 | Jun 4, 2018 | hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. | ||
| CVE-2016-10577 | Hig | 0.46 | 8.1 | 0.02 | May 29, 2018 | ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested… | ||
| CVE-2015-9241 | Hig | 0.42 | 7.5 | 0.02 | May 29, 2018 | Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default… | ||
| CVE-2014-10068 | Hig | 0.42 | 7.5 | 0.02 | May 29, 2018 | The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false. | ||
| CVE-2017-16041 | Med | 0.38 | 5.9 | 0.01 | Jun 4, 2018 | ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2015-9243 | Med | 0.38 | 5.9 | 0.01 | May 29, 2018 | When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have… | ||
| CVE-2015-9236 | Med | 0.35 | 5.3 | 0.02 | May 31, 2018 | Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and… |
- risk 0.53cvss 8.1epss 0.01
ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.53cvss 8.1epss 0.02
ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…
- risk 0.49cvss 7.5epss 0.02
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.
- risk 0.46cvss 8.1epss 0.02
ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…
- risk 0.42cvss 7.5epss 0.02
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default…
- risk 0.42cvss 7.5epss 0.02
The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false.
- risk 0.38cvss 5.9epss 0.01
ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.38cvss 5.9epss 0.01
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have…
- risk 0.35cvss 5.3epss 0.02
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and…