News aggregator

CVE-2017-16114

National Vulnerability Database - Wed, 06/06/2018 - 22:29
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
Categories: Security News

CVE-2017-16115

National Vulnerability Database - Wed, 06/06/2018 - 22:29
The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.
Categories: Security News

CVE-2017-16116

National Vulnerability Database - Wed, 06/06/2018 - 22:29
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Categories: Security News

CVE-2017-16117

National Vulnerability Database - Wed, 06/06/2018 - 22:29
slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
Categories: Security News

CVE-2017-16118

National Vulnerability Database - Wed, 06/06/2018 - 22:29
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Categories: Security News

CVE-2017-16119

National Vulnerability Database - Wed, 06/06/2018 - 22:29
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Categories: Security News

CVE-2017-16074

National Vulnerability Database - Wed, 06/06/2018 - 22:29
crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16075

National Vulnerability Database - Wed, 06/06/2018 - 22:29
http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16076

National Vulnerability Database - Wed, 06/06/2018 - 22:29
proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16077

National Vulnerability Database - Wed, 06/06/2018 - 22:29
mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16078

National Vulnerability Database - Wed, 06/06/2018 - 22:29
shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16079

National Vulnerability Database - Wed, 06/06/2018 - 22:29
smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16080

National Vulnerability Database - Wed, 06/06/2018 - 22:29
nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16081

National Vulnerability Database - Wed, 06/06/2018 - 22:29
cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16082

National Vulnerability Database - Wed, 06/06/2018 - 22:29
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
Categories: Security News

CVE-2017-16083

National Vulnerability Database - Wed, 06/06/2018 - 22:29
node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
Categories: Security News

CVE-2017-16084

National Vulnerability Database - Wed, 06/06/2018 - 22:29
list-n-stream is a server for static files to list and stream local videos. list-n-stream v0.0.10 or lower is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2017-16085

National Vulnerability Database - Wed, 06/06/2018 - 22:29
tinyserver2 is a webserver for static files. tinyserver2 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
Categories: Security News

CVE-2017-16086

National Vulnerability Database - Wed, 06/06/2018 - 22:29
ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.
Categories: Security News

CVE-2017-16088

National Vulnerability Database - Wed, 06/06/2018 - 22:29
The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.
Categories: Security News

Pages