Vendor CVEs
Lumiverse
All CVEs
86 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-28440 | 0.00 | — | 0.02 | Dec 11, 2020 | All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. | |||
| CVE-2020-7788 | 0.00 | — | 0.04 | Dec 11, 2020 | This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||
| CVE-2020-7779 | 0.00 | — | 0.02 | Nov 26, 2020 | All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!. | |||
| CVE-2020-7747 | 0.00 | — | 0.01 | Oct 20, 2020 | This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller. | |||
| CVE-2020-7739 | 0.00 | — | 0.01 | Oct 6, 2020 | This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack. | |||
| CVE-2020-7725 | 0.00 | — | 0.02 | Sep 1, 2020 | All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function. | |||
| CVE-2020-7726 | 0.00 | — | 0.02 | Sep 1, 2020 | All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function. | |||
| CVE-2020-7723 | 0.00 | — | 0.02 | Sep 1, 2020 | All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function. | |||
| CVE-2020-7721 | 0.00 | — | 0.02 | Sep 1, 2020 | All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function. | |||
| CVE-2020-7722 | 0.00 | — | 0.02 | Sep 1, 2020 | All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function. | |||
| CVE-2020-7718 | 0.00 | — | 0.02 | Sep 1, 2020 | All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions. | |||
| CVE-2020-7716 | 0.00 | — | 0.02 | Sep 1, 2020 | All versions of package deeps are vulnerable to Prototype Pollution via the set function. | |||
| CVE-2020-7687 | 0.00 | — | 0.02 | Jul 25, 2020 | This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js. | |||
| CVE-2020-7683 | 0.00 | — | 0.02 | Jul 25, 2020 | This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function. | |||
| CVE-2020-7696 | 0.00 | — | 0.02 | Jul 17, 2020 | This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session… | |||
| CVE-2020-7684 | 0.00 | — | 0.01 | Jul 17, 2020 | This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation. | |||
| CVE-2020-15095 | 0.00 | — | 0.00 | Jul 7, 2020 | Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and… | |||
| CVE-2020-7672 | 0.00 | — | 0.02 | Jun 10, 2020 | mosc through 1.0.0 is vulnerable to Arbitrary Code Execution. User input provided to `properties` argument is executed by the `eval` function, resulting in code execution. | |||
| CVE-2020-6484 | 0.00 | — | 0.01 | May 21, 2020 | Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted request. | |||
| CVE-2020-7618 | 0.00 | — | 0.01 | Apr 7, 2020 | sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'. | |||
| CVE-2020-7616 | 0.00 | — | 0.01 | Apr 7, 2020 | express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack… | |||
| CVE-2020-7634 | 0.00 | — | 0.03 | Apr 6, 2020 | heroku-addonpool through 0.1.15 is vulnerable to Command Injection. | |||
| CVE-2020-7603 | 0.00 | — | 0.03 | Mar 15, 2020 | closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization. | |||
| CVE-2020-7604 | 0.00 | — | 0.03 | Mar 15, 2020 | pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to… | |||
| CVE-2020-8128 | 0.00 | — | 0.03 | Feb 14, 2020 | An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code. | |||
| CVE-2007-6758 | 0.00 | — | 0.01 | Jan 23, 2020 | Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0. | |||
| CVE-2019-16777 | 0.00 | — | 0.02 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any… | |||
| CVE-2019-16776 | 0.00 | — | 0.03 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher… | |||
| CVE-2019-16775 | 0.00 | — | 0.03 | Dec 13, 2019 | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would… | |||
| CVE-2019-10769 | 0.00 | — | 0.03 | Dec 6, 2019 | safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError. | |||
| CVE-2019-19466 | 0.00 | — | 0.01 | Dec 5, 2019 | SCEditor 2.1.3 allows XSS. | |||
| CVE-2015-9286 | 0.00 | — | 0.01 | Apr 30, 2019 | Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS. | |||
| CVE-2019-5416 | 0.00 | — | 0.02 | Mar 17, 2019 | A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server. | |||
| CVE-2019-5417 | 0.00 | — | 0.02 | Mar 17, 2019 | A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server. | |||
| CVE-2015-9282 | 0.00 | — | 0.01 | Feb 6, 2019 | The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard. | |||
| CVE-2018-20524 | 0.00 | — | 0.01 | Dec 27, 2018 | The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of < in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy (CSP). |
- CVE-2020-28440Dec 11, 2020risk 0.00cvss —epss 0.02
All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.
- CVE-2020-7788Dec 11, 2020risk 0.00cvss —epss 0.04
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
- CVE-2020-7779Nov 26, 2020risk 0.00cvss —epss 0.02
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.
- CVE-2020-7747Oct 20, 2020risk 0.00cvss —epss 0.01
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.
- CVE-2020-7739Oct 6, 2020risk 0.00cvss —epss 0.01
This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack.
- CVE-2020-7725Sep 1, 2020risk 0.00cvss —epss 0.02
All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.
- CVE-2020-7726Sep 1, 2020risk 0.00cvss —epss 0.02
All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.
- CVE-2020-7723Sep 1, 2020risk 0.00cvss —epss 0.02
All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.
- CVE-2020-7721Sep 1, 2020risk 0.00cvss —epss 0.02
All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.
- CVE-2020-7722Sep 1, 2020risk 0.00cvss —epss 0.02
All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function.
- CVE-2020-7718Sep 1, 2020risk 0.00cvss —epss 0.02
All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
- CVE-2020-7716Sep 1, 2020risk 0.00cvss —epss 0.02
All versions of package deeps are vulnerable to Prototype Pollution via the set function.
- CVE-2020-7687Jul 25, 2020risk 0.00cvss —epss 0.02
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
- CVE-2020-7683Jul 25, 2020risk 0.00cvss —epss 0.02
This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function.
- CVE-2020-7696Jul 17, 2020risk 0.00cvss —epss 0.02
This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session…
- CVE-2020-7684Jul 17, 2020risk 0.00cvss —epss 0.01
This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.
- CVE-2020-15095Jul 7, 2020risk 0.00cvss —epss 0.00
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and…
- CVE-2020-7672Jun 10, 2020risk 0.00cvss —epss 0.02
mosc through 1.0.0 is vulnerable to Arbitrary Code Execution. User input provided to `properties` argument is executed by the `eval` function, resulting in code execution.
- CVE-2020-6484May 21, 2020risk 0.00cvss —epss 0.01
Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted request.
- CVE-2020-7618Apr 7, 2020risk 0.00cvss —epss 0.01
sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.
- CVE-2020-7616Apr 7, 2020risk 0.00cvss —epss 0.01
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack…
- CVE-2020-7634Apr 6, 2020risk 0.00cvss —epss 0.03
heroku-addonpool through 0.1.15 is vulnerable to Command Injection.
- CVE-2020-7603Mar 15, 2020risk 0.00cvss —epss 0.03
closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.
- CVE-2020-7604Mar 15, 2020risk 0.00cvss —epss 0.03
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to…
- CVE-2020-8128Feb 14, 2020risk 0.00cvss —epss 0.03
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
- CVE-2007-6758Jan 23, 2020risk 0.00cvss —epss 0.01
Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0.
- CVE-2019-16777Dec 13, 2019risk 0.00cvss —epss 0.02
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any…
- CVE-2019-16776Dec 13, 2019risk 0.00cvss —epss 0.03
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher…
- CVE-2019-16775Dec 13, 2019risk 0.00cvss —epss 0.03
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would…
- CVE-2019-10769Dec 6, 2019risk 0.00cvss —epss 0.03
safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.
- CVE-2019-19466Dec 5, 2019risk 0.00cvss —epss 0.01
SCEditor 2.1.3 allows XSS.
- CVE-2015-9286Apr 30, 2019risk 0.00cvss —epss 0.01
Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.
- CVE-2019-5416Mar 17, 2019risk 0.00cvss —epss 0.02
A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server.
- CVE-2019-5417Mar 17, 2019risk 0.00cvss —epss 0.02
A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server.
- CVE-2015-9282Feb 6, 2019risk 0.00cvss —epss 0.01
The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard.
- CVE-2018-20524Dec 27, 2018risk 0.00cvss —epss 0.01
The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of < in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy (CSP).
Page 2 of 2