Vulnerabilidades em HackerOne

470 resultados
CVE-2017-16088The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access tEPSS 3.5%CVE-2017-16197qinserve is a static file server. qinserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placEPSS 3.2%CVE-2018-16492A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto OEPSS 3.0%CVE-2017-16137The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes arEPSS 2.8%CVE-2017-16151Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects alEPSS 2.7%CVE-2017-16026Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of nonEPSS 2.6%CVE-2016-10546An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and deEPSS 2.6%CVE-2017-16024The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before EPSS 2.6%CVE-2017-16038`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" EPSS 2.5%CVE-2016-10525When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass autEPSS 2.5%CVE-2017-16020Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary EPSS 2.5%CVE-2016-10523MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible witEPSS 2.5%CVE-2015-9244Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with `mysql.escape()` which could lead to SQL Injection.EPSS 2.4%CVE-2018-3721lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and merEPSS 2.4%CVE-2018-3732resolve-path node module before 1.4.0 suffers from a Path Traversal vulnerability due to lack of validation of paths with certain special chEPSS 2.4%CVE-2016-10532console-io is a module that allows users to implement a web console in their application. A malicious user could bypass the authentication aEPSS 2.4%CVE-2016-10593ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacksEPSS 2.3%CVE-2017-16003windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resoEPSS 2.3%CVE-2018-3744The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.EPSS 2.3%CVE-2016-10541The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications thatEPSS 2.2%