| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| `sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. |
| In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath. |
| In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath. |
| Password are stored in plaintext in nvram in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt. |
| ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues. |
| keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link. |
| Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. |
| A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. |
