Vendor CVEs
Hackerone
All CVEs
154 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16082 | Cri | 0.65 | 9.8 | 0.11 | Jun 7, 2018 | A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a… | ||
| CVE-2017-16020 | Cri | 0.64 | 9.8 | 0.03 | Jun 4, 2018 | Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name. | ||
| CVE-2015-9244 | Cri | 0.64 | 9.8 | 0.02 | May 29, 2018 | Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with `mysql.escape()` which could lead to SQL Injection. | ||
| CVE-2017-0903 | Cri | 0.58 | 9.8 | 0.16 | Oct 11, 2017 | RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. | ||
| CVE-2017-0899 | Cri | 0.58 | 9.8 | 0.11 | Aug 31, 2017 | RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. | ||
| CVE-2016-10551 | Cri | 0.57 | 9.8 | 0.02 | May 29, 2018 | waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious code. A malicious user can input their… | ||
| CVE-2017-16035 | Hig | 0.53 | 8.1 | 0.01 | Jun 4, 2018 | The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP… | ||
| CVE-2016-10696 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested… | ||
| CVE-2016-10691 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | windows-seleniumjar is a module that downloads the Selenium Jar file windows-seleniumjar downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an… | ||
| CVE-2016-10689 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | The windows-iedriver module downloads fixed version of iedriverserver.exe windows-iedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an… | ||
| CVE-2016-10687 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | windows-selenium-chromedriver is a module that downloads the Selenium Jar file. windows-selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested… | ||
| CVE-2016-10678 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is… | ||
| CVE-2016-10670 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | windows-seleniumjar-mirror downloads the Selenium Jar file windows-seleniumjar-mirror downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an… | ||
| CVE-2016-10669 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | soci downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the… | ||
| CVE-2016-10664 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | mystem is a Node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker… | ||
| CVE-2016-10662 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | tomita is a node wrapper for Yandex Tomita Parser tomita downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the… | ||
| CVE-2016-10656 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | qbs is a build tool that helps simplify the build process for developing projects across multiple platforms. qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the… | ||
| CVE-2016-10654 | Hig | 0.53 | 8.1 | 0.01 | Jun 4, 2018 | sfml downloads resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2016-10651 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | webdriver-launcher is a Node.js Selenium Webdriver Launcher. webdriver-launcher downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker… | ||
| CVE-2016-10649 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | frames-compiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in… | ||
| CVE-2016-10647 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker… | ||
| CVE-2016-10642 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is… | ||
| CVE-2016-10636 | Hig | 0.53 | 8.1 | 0.02 | Jun 4, 2018 | grunt-ccompiler is a Closure Compiler Grunt Plugin. grunt-ccompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary… | ||
| CVE-2016-10632 | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2018 | apk-parser2 is a module which extracts Android Manifest info from an APK file. apk-parser2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an… | ||
| CVE-2016-10622 | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2018 | nodeschnaps is a NodeJS compatibility layer for Java (Rhino). nodeschnaps downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled… | ||
| CVE-2016-10615 | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2018 | curses is bindings for the native curses library, a full featured console IO library. curses downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an… | ||
| CVE-2016-10610 | Hig | 0.53 | 8.1 | 0.01 | Jun 1, 2018 | unicode-json is a unicode lookup table. unicode-json before 2.0.0 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2016-10603 | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2018 | air-sdk is a NPM wrapper for the Adobe AIR SDK. air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the… | ||
| CVE-2016-10594 | Hig | 0.53 | 8.1 | 0.01 | Jun 1, 2018 | ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2016-10592 | Hig | 0.53 | 8.1 | 0.01 | Jun 1, 2018 | jser-stat is a JSer.info stat library. jser-stat downloads data resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2016-10574 | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2018 | apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested… | ||
| CVE-2016-10569 | Hig | 0.53 | 8.1 | 0.02 | May 31, 2018 | embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags. embedza versions below 1.2.4 download JavaScript resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE)… | ||
| CVE-2016-10564 | Hig | 0.53 | 8.1 | 0.01 | May 31, 2018 | apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary… | ||
| CVE-2016-10562 | Hig | 0.53 | 8.1 | 0.02 | May 31, 2018 | iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions below 3.0.0 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker… | ||
| CVE-2016-10698 | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an… | ||
| CVE-2016-10666 | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | tomita-parser is a Node wrapper for Yandex Tomita Parser tomita-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled… | ||
| CVE-2016-10658 | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy… | ||
| CVE-2016-10593 | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled… | ||
| CVE-2016-10590 | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip… | ||
| CVE-2017-16086 | Hig | 0.52 | 7.5 | 0.09 | Jun 7, 2018 | ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header. | ||
| CVE-2016-10542 | Hig | 0.52 | 7.5 | 0.08 | May 31, 2018 | ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier. | ||
| CVE-2018-3730 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | mcstatic node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path. | ||
| CVE-2018-3727 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | 626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path. | ||
| CVE-2018-3724 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | general-file-server node module suffers from a Path Traversal vulnerability due to lack of validation of currpath, which allows a malicious user to read content of any file with known path. | ||
| CVE-2017-16223 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16221 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | yzt is a simple file server. yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16219 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | yttivy is a static file server. yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16218 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16217 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16212 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | ltt is a static file server. ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
- risk 0.65cvss 9.8epss 0.11
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a…
- risk 0.64cvss 9.8epss 0.03
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.
- risk 0.64cvss 9.8epss 0.02
Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with `mysql.escape()` which could lead to SQL Injection.
- risk 0.58cvss 9.8epss 0.16
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
- risk 0.58cvss 9.8epss 0.11
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
- risk 0.57cvss 9.8epss 0.02
waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious code. A malicious user can input their…
- risk 0.53cvss 8.1epss 0.01
The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP…
- risk 0.53cvss 8.1epss 0.02
windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…
- risk 0.53cvss 8.1epss 0.02
windows-seleniumjar is a module that downloads the Selenium Jar file windows-seleniumjar downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…
- risk 0.53cvss 8.1epss 0.02
The windows-iedriver module downloads fixed version of iedriverserver.exe windows-iedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…
- risk 0.53cvss 8.1epss 0.02
windows-selenium-chromedriver is a module that downloads the Selenium Jar file. windows-selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…
- risk 0.53cvss 8.1epss 0.02
serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is…
- risk 0.53cvss 8.1epss 0.02
windows-seleniumjar-mirror downloads the Selenium Jar file windows-seleniumjar-mirror downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…
- risk 0.53cvss 8.1epss 0.02
soci downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the…
- risk 0.53cvss 8.1epss 0.02
mystem is a Node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…
- risk 0.53cvss 8.1epss 0.02
tomita is a node wrapper for Yandex Tomita Parser tomita downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the…
- risk 0.53cvss 8.1epss 0.02
qbs is a build tool that helps simplify the build process for developing projects across multiple platforms. qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…
- risk 0.53cvss 8.1epss 0.01
sfml downloads resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.53cvss 8.1epss 0.02
webdriver-launcher is a Node.js Selenium Webdriver Launcher. webdriver-launcher downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…
- risk 0.53cvss 8.1epss 0.02
frames-compiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in…
- risk 0.53cvss 8.1epss 0.02
node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker…
- risk 0.53cvss 8.1epss 0.02
cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is…
- risk 0.53cvss 8.1epss 0.02
grunt-ccompiler is a Closure Compiler Grunt Plugin. grunt-ccompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary…
- risk 0.53cvss 8.1epss 0.02
apk-parser2 is a module which extracts Android Manifest info from an APK file. apk-parser2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an…
- risk 0.53cvss 8.1epss 0.02
nodeschnaps is a NodeJS compatibility layer for Java (Rhino). nodeschnaps downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…
- risk 0.53cvss 8.1epss 0.02
curses is bindings for the native curses library, a full featured console IO library. curses downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an…
- risk 0.53cvss 8.1epss 0.01
unicode-json is a unicode lookup table. unicode-json before 2.0.0 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.53cvss 8.1epss 0.02
air-sdk is a NPM wrapper for the Adobe AIR SDK. air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the…
- risk 0.53cvss 8.1epss 0.01
ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.53cvss 8.1epss 0.01
jser-stat is a JSer.info stat library. jser-stat downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.53cvss 8.1epss 0.02
apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…
- risk 0.53cvss 8.1epss 0.02
embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags. embedza versions below 1.2.4 download JavaScript resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE)…
- risk 0.53cvss 8.1epss 0.01
apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary…
- risk 0.53cvss 8.1epss 0.02
iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions below 3.0.0 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…
- risk 0.53cvss 8.1epss 0.02
mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an…
- risk 0.53cvss 8.1epss 0.02
tomita-parser is a Node wrapper for Yandex Tomita Parser tomita-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled…
- risk 0.53cvss 8.1epss 0.02
native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy…
- risk 0.53cvss 8.1epss 0.02
ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…
- risk 0.53cvss 8.1epss 0.02
cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip…
- risk 0.52cvss 7.5epss 0.09
ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.
- risk 0.52cvss 7.5epss 0.08
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
- risk 0.49cvss 7.5epss 0.02
mcstatic node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.
- risk 0.49cvss 7.5epss 0.02
626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
- risk 0.49cvss 7.5epss 0.02
general-file-server node module suffers from a Path Traversal vulnerability due to lack of validation of currpath, which allows a malicious user to read content of any file with known path.
- risk 0.49cvss 7.5epss 0.02
nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
yzt is a simple file server. yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
yttivy is a static file server. yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
ltt is a static file server. ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Page 1 of 4