Total
316927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16048 | 1 Node-sqlite Project | 1 Node-sqlite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |||||
| CVE-2017-16047 | 1 Mysqljs Project | 1 Mysqljs | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |||||
| CVE-2017-16046 | 1 Mariadb | 1 Mariadb | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |||||
| CVE-2017-16045 | 1 Jquery.js Project | 1 Jquery.js | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |||||
| CVE-2017-16044 | 1 D3.js Project | 1 D3.js | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |||||
| CVE-2017-16043 | 1 Shout Project | 1 Shout | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3. | |||||
| CVE-2017-16042 | 1 Growl Project | 1 Growl | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution. | |||||
| CVE-2017-16041 | 1 Ikst Project | 1 Ikst | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks. | |||||
| CVE-2017-16040 | 1 Gfe-sass Project | 1 Gfe-sass | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. | |||||
| CVE-2017-16039 | 1 Hftp Project | 1 Hftp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |||||
| CVE-2017-16038 | 1 F2e-server Project | 1 F2e-server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run. | |||||
| CVE-2017-16037 | 1 Gomeplus-h5-proxy Project | 1 Gomeplus-h5-proxy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL. | |||||
| CVE-2017-16036 | 1 Badjs-sourcemap-server Project | 1 Badjs-sourcemap-server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |||||
| CVE-2017-16035 | 1 Hubspot | 1 Hubl-server | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation. | |||||
| CVE-2017-16031 | 1 Socket | 1 Socket.io | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information. | |||||
| CVE-2017-16030 | 1 Useragent Project | 1 Useragent | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier. | |||||
| CVE-2017-16029 | 1 Hostr Project | 1 Hostr | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| hostr is a simple web server that serves up the contents of the current directory. There is a directory traversal vulnerability in hostr 2.3.5 and earlier that allows an attacker to read files outside the current directory by sending `../` in the url path for GET requests. | |||||
| CVE-2017-16028 | 1 Randomatic Project | 1 Randomatic | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()). | |||||
| CVE-2017-16026 | 1 Request Project | 1 Request | 2024-11-21 | 7.1 HIGH | 5.9 MEDIUM |
| Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0. | |||||
| CVE-2017-16025 | 1 Hapijs | 1 Nes | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out. | |||||