News aggregator

CVE-2017-16053

National Vulnerability Database - Mon, 06/04/2018 - 15:29
`fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16054

National Vulnerability Database - Mon, 06/04/2018 - 15:29
`nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16055

National Vulnerability Database - Mon, 06/04/2018 - 15:29
`sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16016

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.
Categories: Security News

CVE-2017-16017

National Vulnerability Database - Mon, 06/04/2018 - 15:29
sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.
Categories: Security News

CVE-2017-16018

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Restify is a framework for building REST APIs. Restify >=2.0.0 <=4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers.
Categories: Security News

CVE-2017-16019

National Vulnerability Database - Mon, 06/04/2018 - 15:29
GitBook is a command line tool (and Node.js library) for building beautiful books using GitHub/Git and Markdown (or AsciiDoc). Stored Cross-Site-Scripting (XSS) is possible in GitBook before 3.2.2 by including code outside of backticks in any ebook. This code will be executed on the online reader.
Categories: Security News

CVE-2017-16020

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.
Categories: Security News

CVE-2017-16021

National Vulnerability Database - Mon, 06/04/2018 - 15:29
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.
Categories: Security News

CVE-2017-16022

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.
Categories: Security News

CVE-2017-16023

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.
Categories: Security News

CVE-2017-16024

National Vulnerability Database - Mon, 06/04/2018 - 15:29
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.
Categories: Security News

CVE-2017-16025

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.
Categories: Security News

CVE-2017-16026

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.
Categories: Security News

CVE-2017-16028

National Vulnerability Database - Mon, 06/04/2018 - 15:29
react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).
Categories: Security News

CVE-2017-16029

National Vulnerability Database - Mon, 06/04/2018 - 15:29
hostr is a simple web server that serves up the contents of the current directory. There is a directory traversal vulnerability in hostr 2.3.5 and earlier that allows an attacker to read files outside the current directory by sending `../` in the url path for GET requests.
Categories: Security News

CVE-2017-16030

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier.
Categories: Security News

CVE-2017-16031

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Categories: Security News

CVE-2017-16035

National Vulnerability Database - Mon, 06/04/2018 - 15:29
The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.
Categories: Security News

CVE-2017-16036

National Vulnerability Database - Mon, 06/04/2018 - 15:29
`badjs-sourcemap-server` recieves files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

Pages