VYPR

Ibapi Node Module

by Hackerone

CVEs (9)

  • CVE-2016-10594HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.01

    ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2016-10593HigMay 29, 2018
    risk 0.53cvss 8.1epss 0.02

    ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…

  • CVE-2017-16013HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.02

    hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.

  • CVE-2016-10577HigMay 29, 2018
    risk 0.46cvss 8.1epss 0.02

    ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…

  • CVE-2015-9241HigMay 29, 2018
    risk 0.42cvss 7.5epss 0.02

    Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default…

  • CVE-2014-10068HigMay 29, 2018
    risk 0.42cvss 7.5epss 0.02

    The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when `showHidden` is false.

  • CVE-2017-16041MedJun 4, 2018
    risk 0.38cvss 5.9epss 0.01

    ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2015-9243MedMay 29, 2018
    risk 0.38cvss 5.9epss 0.01

    When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have…

  • CVE-2015-9236MedMay 31, 2018
    risk 0.35cvss 5.3epss 0.02

    Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and…