Security News

CVE-2016-10698

National Vulnerability Database - Tue, 05/29/2018 - 16:29
mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2017-16003

National Vulnerability Database - Tue, 05/29/2018 - 16:29
windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2017-16010

National Vulnerability Database - Tue, 05/29/2018 - 16:29
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later.
Categories: Security News

CVE-2017-16047

National Vulnerability Database - Tue, 05/29/2018 - 16:29
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16061

National Vulnerability Database - Tue, 05/29/2018 - 16:29
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16062

National Vulnerability Database - Tue, 05/29/2018 - 16:29
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16153

National Vulnerability Database - Tue, 05/29/2018 - 16:29
gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2018-10466

National Vulnerability Database - Tue, 05/29/2018 - 16:29
Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection.
Categories: Security News

CVE-2018-10751

National Vulnerability Database - Tue, 05/29/2018 - 16:29
A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string. The Samsung ID is SVE-2018-11463.
Categories: Security News

CVE-2018-11027

National Vulnerability Database - Tue, 05/29/2018 - 16:29
A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remote attackers to inject arbitrary web script or HTML.
Categories: Security News

CVE-2018-11392

National Vulnerability Database - Tue, 05/29/2018 - 16:29
An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field. This results in arbitrary code execution by requesting the .php file.
Categories: Security News

CVE-2018-3733

National Vulnerability Database - Tue, 05/29/2018 - 16:29
crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path.
Categories: Security News

CVE-2018-3734

National Vulnerability Database - Tue, 05/29/2018 - 16:29
stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path.
Categories: Security News

CVE-2018-3744

National Vulnerability Database - Tue, 05/29/2018 - 16:29
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.
Categories: Security News

CVE-2018-3745

National Vulnerability Database - Tue, 05/29/2018 - 16:29
atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
Categories: Security News

CVE-2018-6964

National Vulnerability Database - Tue, 05/29/2018 - 16:29
VMware Horizon Client for Linux (4.x before 4.8.0 and prior) contains a local privilege escalation vulnerability due to insecure usage of SUID binary. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on a Linux machine where Horizon Client is installed.
Categories: Security News

CVE-2016-10570

National Vulnerability Database - Tue, 05/29/2018 - 16:29
pngcrush-installer is an installer for Pngcrush. pngcrush-installer versions below 1.8.10 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10573

National Vulnerability Database - Tue, 05/29/2018 - 16:29
baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows. baryton-saxophone versions below 3.0.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10577

National Vulnerability Database - Tue, 05/29/2018 - 16:29
ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10578

National Vulnerability Database - Tue, 05/29/2018 - 16:29
unicode loads unicode data downloaded from unicode.org into nodejs. Unicode before 9.0.0 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.
Categories: Security News

Pages