VYPR

Vendor CVEs

Hackerone

All CVEs

154 total · sorted by risk
  • CVE-2017-16082CriJun 7, 2018
    risk 0.65cvss 9.8epss 0.11

    A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a…

  • CVE-2017-16020CriJun 4, 2018
    risk 0.64cvss 9.8epss 0.03

    Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.

  • CVE-2015-9244CriMay 29, 2018
    risk 0.64cvss 9.8epss 0.02

    Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with `mysql.escape()` which could lead to SQL Injection.

  • CVE-2017-0903CriOct 11, 2017
    risk 0.58cvss 9.8epss 0.16

    RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

  • CVE-2017-0899CriAug 31, 2017
    risk 0.58cvss 9.8epss 0.11

    RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

  • CVE-2016-10551CriMay 29, 2018
    risk 0.57cvss 9.8epss 0.02

    waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious code. A malicious user can input their…

  • CVE-2017-16035HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.01

    The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP…

  • CVE-2016-10696HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…

  • CVE-2016-10691HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    windows-seleniumjar is a module that downloads the Selenium Jar file windows-seleniumjar downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…

  • CVE-2016-10689HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    The windows-iedriver module downloads fixed version of iedriverserver.exe windows-iedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…

  • CVE-2016-10687HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    windows-selenium-chromedriver is a module that downloads the Selenium Jar file. windows-selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…

  • CVE-2016-10678HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is…

  • CVE-2016-10670HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    windows-seleniumjar-mirror downloads the Selenium Jar file windows-seleniumjar-mirror downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…

  • CVE-2016-10669HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    soci downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the…

  • CVE-2016-10664HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    mystem is a Node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…

  • CVE-2016-10662HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    tomita is a node wrapper for Yandex Tomita Parser tomita downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the…

  • CVE-2016-10656HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    qbs is a build tool that helps simplify the build process for developing projects across multiple platforms. qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…

  • CVE-2016-10654HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.01

    sfml downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2016-10651HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    webdriver-launcher is a Node.js Selenium Webdriver Launcher. webdriver-launcher downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…

  • CVE-2016-10649HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    frames-compiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in…

  • CVE-2016-10647HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker…

  • CVE-2016-10642HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is…

  • CVE-2016-10636HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    grunt-ccompiler is a Closure Compiler Grunt Plugin. grunt-ccompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary…

  • CVE-2016-10632HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.02

    apk-parser2 is a module which extracts Android Manifest info from an APK file. apk-parser2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an…

  • CVE-2016-10622HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.02

    nodeschnaps is a NodeJS compatibility layer for Java (Rhino). nodeschnaps downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…

  • CVE-2016-10615HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.02

    curses is bindings for the native curses library, a full featured console IO library. curses downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an…

  • CVE-2016-10610HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.01

    unicode-json is a unicode lookup table. unicode-json before 2.0.0 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2016-10603HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.02

    air-sdk is a NPM wrapper for the Adobe AIR SDK. air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the…

  • CVE-2016-10594HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.01

    ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2016-10592HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.01

    jser-stat is a JSer.info stat library. jser-stat downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2016-10574HigJun 1, 2018
    risk 0.53cvss 8.1epss 0.02

    apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…

  • CVE-2016-10569HigMay 31, 2018
    risk 0.53cvss 8.1epss 0.02

    embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags. embedza versions below 1.2.4 download JavaScript resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE)…

  • CVE-2016-10564HigMay 31, 2018
    risk 0.53cvss 8.1epss 0.01

    apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary…

  • CVE-2016-10562HigMay 31, 2018
    risk 0.53cvss 8.1epss 0.02

    iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions below 3.0.0 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…

  • CVE-2016-10698HigMay 29, 2018
    risk 0.53cvss 8.1epss 0.02

    mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…

  • CVE-2016-10666HigMay 29, 2018
    risk 0.53cvss 8.1epss 0.02

    tomita-parser is a Node wrapper for Yandex Tomita Parser tomita-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled…

  • CVE-2016-10658HigMay 29, 2018
    risk 0.53cvss 8.1epss 0.02

    native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy…

  • CVE-2016-10593HigMay 29, 2018
    risk 0.53cvss 8.1epss 0.02

    ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…

  • CVE-2016-10590HigMay 29, 2018
    risk 0.53cvss 8.1epss 0.02

    cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip…

  • CVE-2017-16086HigJun 7, 2018
    risk 0.52cvss 7.5epss 0.09

    ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.

  • CVE-2016-10542HigMay 31, 2018
    risk 0.52cvss 7.5epss 0.08

    ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

  • CVE-2018-3730HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    mcstatic node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.

  • CVE-2018-3727HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.

  • CVE-2018-3724HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    general-file-server node module suffers from a Path Traversal vulnerability due to lack of validation of currpath, which allows a malicious user to read content of any file with known path.

  • CVE-2017-16223HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16221HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    yzt is a simple file server. yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16219HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    yttivy is a static file server. yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16218HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16217HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

  • CVE-2017-16212HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    ltt is a static file server. ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Page 1 of 4