The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Node.js Modules ~ not comprehensive

threat alert CVE-2018-1002203

Node.js unzipper: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Node.js unzipper, in order to create a file outside the service root path. This vulnerability is a member of the Zip Slip family (VIGILANCE-VUL-26357).
Severity: 2/4.
Creation date: 13/06/2018.
Identifiers: CVE-2018-1002203, VIGILANCE-VUL-26401.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can traverse directories of Node.js unzipper, in order to create a file outside the service root path. This vulnerability is a member of the Zip Slip family (VIGILANCE-VUL-26357).
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2018-1002204

Node.js adm-zip: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Node.js adm-zip, in order to create a file outside the service root path. This vulnerability is a member of the Zip Slip family (VIGILANCE-VUL-26357).
Severity: 2/4.
Creation date: 13/06/2018.
Identifiers: CVE-2018-1002204, VIGILANCE-VUL-26400.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can traverse directories of Node.js adm-zip, in order to create a file outside the service root path. This vulnerability is a member of the Zip Slip family (VIGILANCE-VUL-26357).
Full Vigil@nce bulletin... (Free trial)

weakness announce 26312

Node.js serve: file reading

Synthesis of the vulnerability

A local attacker can read a file of Node.js serve, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 04/06/2018.
Identifiers: VIGILANCE-VUL-26312.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A local attacker can read a file of Node.js serve, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness 26311

Node.js sexstatic: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js sexstatic, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 04/06/2018.
Identifiers: VIGILANCE-VUL-26311.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js sexstatic, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2018-3757

Node.js pdf-image: code execution via pdfFilePath

Synthesis of the vulnerability

An attacker can use a vulnerability via pdfFilePath of Node.js pdf-image, in order to run code.
Severity: 2/4.
Creation date: 04/06/2018.
Identifiers: CVE-2018-3757, VIGILANCE-VUL-26310.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability via pdfFilePath of Node.js pdf-image, in order to run code.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness 26267

Node.js base64url: information disclosure

Synthesis of the vulnerability

A local attacker can read a memory fragment of Node.js base64url, in order to obtain sensitive information.
Severity: 1/4.
Creation date: 30/05/2018.
Identifiers: FEDORA-2018-6f962c5533, FEDORA-2018-b64b73ae61, VIGILANCE-VUL-26267.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A local attacker can read a memory fragment of Node.js base64url, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2018-3719

Node.js mixin-deep: vulnerability

Synthesis of the vulnerability

A vulnerability of Node.js mixin-deep was announced.
Severity: 2/4.
Creation date: 30/05/2018.
Identifiers: CVE-2018-3719, FEDORA-2018-ab62814cee, VIGILANCE-VUL-26266.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A vulnerability of Node.js mixin-deep was announced.
Full Vigil@nce bulletin... (Free trial)

weakness bulletin 26238

Node.js deep-extend: vulnerability via Prototype Pollution

Synthesis of the vulnerability

A vulnerability via Prototype Pollution of Node.js deep-extend was announced.
Severity: 2/4.
Creation date: 28/05/2018.
Identifiers: FEDORA-2018-636f73964f, VIGILANCE-VUL-26238.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A vulnerability via Prototype Pollution of Node.js deep-extend was announced.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat 26205

Node.js hekto: open redirect

Synthesis of the vulnerability

An attacker can deceive the user of Node.js hekto, in order to redirect him to a malicious site.
Severity: 1/4.
Creation date: 23/05/2018.
Identifiers: VIGILANCE-VUL-26205.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The hekto module can be installed on Node.js.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of Node.js hekto, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer threat note 26164

Node.js react-marked-markdown: Cross Site Scripting via HREF Attributes

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via HREF Attributes of Node.js react-marked-markdown, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 18/05/2018.
Identifiers: VIGILANCE-VUL-26164.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The react-marked-markdown module can be installed on Node.js.

However, it does not filter received data via HREF Attributes before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via HREF Attributes of Node.js react-marked-markdown, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Node.js Modules ~ not comprehensive: