VYPR

Vendor CVEs

Lumiverse

All CVEs

86 total · sorted by risk
  • CVE-2020-28440Dec 11, 2020
    risk 0.00cvss epss 0.02

    All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.

  • CVE-2020-7788Dec 11, 2020
    risk 0.00cvss epss 0.04

    This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

  • CVE-2020-7779Nov 26, 2020
    risk 0.00cvss epss 0.02

    All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.

  • CVE-2020-7747Oct 20, 2020
    risk 0.00cvss epss 0.01

    This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.

  • CVE-2020-7739Oct 6, 2020
    risk 0.00cvss epss 0.01

    This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack.

  • CVE-2020-7725Sep 1, 2020
    risk 0.00cvss epss 0.02

    All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.

  • CVE-2020-7726Sep 1, 2020
    risk 0.00cvss epss 0.02

    All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.

  • CVE-2020-7723Sep 1, 2020
    risk 0.00cvss epss 0.02

    All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.

  • CVE-2020-7721Sep 1, 2020
    risk 0.00cvss epss 0.02

    All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.

  • CVE-2020-7722Sep 1, 2020
    risk 0.00cvss epss 0.02

    All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function.

  • CVE-2020-7718Sep 1, 2020
    risk 0.00cvss epss 0.02

    All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.

  • CVE-2020-7716Sep 1, 2020
    risk 0.00cvss epss 0.02

    All versions of package deeps are vulnerable to Prototype Pollution via the set function.

  • CVE-2020-7687Jul 25, 2020
    risk 0.00cvss epss 0.02

    This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.

  • CVE-2020-7683Jul 25, 2020
    risk 0.00cvss epss 0.02

    This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function.

  • CVE-2020-7696Jul 17, 2020
    risk 0.00cvss epss 0.02

    This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session…

  • CVE-2020-7684Jul 17, 2020
    risk 0.00cvss epss 0.01

    This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.

  • CVE-2020-15095Jul 7, 2020
    risk 0.00cvss epss 0.00

    Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and…

  • CVE-2020-7672Jun 10, 2020
    risk 0.00cvss epss 0.02

    mosc through 1.0.0 is vulnerable to Arbitrary Code Execution. User input provided to `properties` argument is executed by the `eval` function, resulting in code execution.

  • CVE-2020-6484May 21, 2020
    risk 0.00cvss epss 0.01

    Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted request.

  • CVE-2020-7618Apr 7, 2020
    risk 0.00cvss epss 0.01

    sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.

  • CVE-2020-7616Apr 7, 2020
    risk 0.00cvss epss 0.01

    express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack…

  • CVE-2020-7634Apr 6, 2020
    risk 0.00cvss epss 0.03

    heroku-addonpool through 0.1.15 is vulnerable to Command Injection.

  • CVE-2020-7603Mar 15, 2020
    risk 0.00cvss epss 0.03

    closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.

  • CVE-2020-7604Mar 15, 2020
    risk 0.00cvss epss 0.03

    pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to…

  • CVE-2020-8128Feb 14, 2020
    risk 0.00cvss epss 0.03

    An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.

  • CVE-2007-6758Jan 23, 2020
    risk 0.00cvss epss 0.01

    Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0.

  • CVE-2019-16777Dec 13, 2019
    risk 0.00cvss epss 0.02

    Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any…

  • CVE-2019-16776Dec 13, 2019
    risk 0.00cvss epss 0.03

    Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher…

  • CVE-2019-16775Dec 13, 2019
    risk 0.00cvss epss 0.03

    Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would…

  • CVE-2019-10769Dec 6, 2019
    risk 0.00cvss epss 0.03

    safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.

  • CVE-2019-19466Dec 5, 2019
    risk 0.00cvss epss 0.01

    SCEditor 2.1.3 allows XSS.

  • CVE-2015-9286Apr 30, 2019
    risk 0.00cvss epss 0.01

    Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.

  • CVE-2019-5416Mar 17, 2019
    risk 0.00cvss epss 0.02

    A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server.

  • CVE-2019-5417Mar 17, 2019
    risk 0.00cvss epss 0.02

    A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server.

  • CVE-2015-9282Feb 6, 2019
    risk 0.00cvss epss 0.01

    The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard.

  • CVE-2018-20524Dec 27, 2018
    risk 0.00cvss epss 0.01

    The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of < in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy (CSP).

Page 2 of 2