The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Node Modules ~ not comprehensive

vulnerability bulletin CVE-2018-20834

Node.js tar: file corruption

Synthesis of the vulnerability

A local attacker can create a hard link, in order to alter the pointed file, with privileges of Node.js tar.
Impacted products: Nodejs Modules ~ not comprehensive, RHEL.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 22/07/2019.
Identifiers: CVE-2018-20834, RHSA-2019:1821-01, VIGILANCE-VUL-29853.

Description of the vulnerability

A local attacker can create a hard link, in order to alter the pointed file, with privileges of Node.js tar.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 29785

Node.js lodash: privilege escalation via Prototype Pollution

Synthesis of the vulnerability

An attacker can bypass restrictions via Prototype Pollution of Node.js lodash, in order to escalate his privileges.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: document.
Creation date: 16/07/2019.
Identifiers: NPM-1065, NPM-1066, NPM-1067, NPM-1068, NPM-1069, NPM-1070, NPM-1071, VIGILANCE-VUL-29785.

Description of the vulnerability

An attacker can bypass restrictions via Prototype Pollution of Node.js lodash, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 29662

Node.js apostrophe: open redirect

Synthesis of the vulnerability

An attacker can deceive the user of Node.js apostrophe, in order to redirect him to a malicious site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 01/07/2019.
Identifiers: NPM-1029, VIGILANCE-VUL-29662.

Description of the vulnerability

The apostrophe module can be installed on Node.js.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of Node.js apostrophe, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

vulnerability 29640

Node.js ionic/core: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js ionic/core, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 27/06/2019.
Identifiers: NPM-1023, VIGILANCE-VUL-29640.

Description of the vulnerability

The ionic/core module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js ionic/core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-10748

Node.js sequelize: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Node.js sequelize, in order to read or alter data.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 25/06/2019.
Identifiers: CVE-2019-10748, NPM-1017, NPM-1018, VIGILANCE-VUL-29618.

Description of the vulnerability

The Node.js sequelize product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Node.js sequelize, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 29529

Node.js resquel: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Node.js resquel, in order to read or alter data.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 13/06/2019.
Identifiers: NPM-963, VIGILANCE-VUL-29529.

Description of the vulnerability

The Node.js resquel product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Node.js resquel, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 29502

Node.js ids-enterprise: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js ids-enterprise, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/06/2019.
Identifiers: NPM-955, NPM-956, NPM-957, VIGILANCE-VUL-29502.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js ids-enterprise, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 29395

Node.js bootstrap: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js bootstrap, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 23/05/2019.
Identifiers: NPM-891, VIGILANCE-VUL-29395.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js bootstrap, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 29373

Node.js algo-httpserv: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Node.js algo-httpserv, in order to read a file outside the service root path.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 21/05/2019.
Identifiers: NPM-889, VIGILANCE-VUL-29373.

Description of the vulnerability

An attacker can traverse directories of Node.js algo-httpserv, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-13173

Node.js fstream: privilege escalation via File Overwrite

Synthesis of the vulnerability

An attacker can bypass restrictions via File Overwrite of Node.js fstream, in order to escalate his privileges.
Impacted products: Nodejs Modules ~ not comprehensive, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, data creation/edition.
Provenance: internet client.
Creation date: 15/05/2019.
Identifiers: CVE-2019-13173, NPM-886, openSUSE-SU-2019:1846-1, openSUSE-SU-2019:1907-1, SUSE-SU-2019:2055-1, SUSE-SU-2019:2078-1, SUSE-SU-2019:2081-1, SUSE-SU-2019:2099-1, SUSE-SU-2019:2181-1, USN-4123-1, VIGILANCE-VUL-29315.

Description of the vulnerability

An attacker can bypass restrictions via File Overwrite of Node.js fstream, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Node Modules ~ not comprehensive: