The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Nodejs Modules ~ not comprehensive

vulnerability bulletin 20393

Node.js swagger-ui: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js swagger-ui, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 16/08/2016.
Identifiers: VIGILANCE-VUL-20393.

Description of the vulnerability

The swagger-ui module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js swagger-ui, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-10540

Node.js minimatch: denial of service via RegExp

Synthesis of the vulnerability

An attacker can generate a fatal error via RegExp of Node.js minimatch, in order to trigger a denial of service.
Impacted products: Nodejs Modules ~ not comprehensive, RHEL.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/08/2016.
Identifiers: CVE-2016-1000023-REJECT, CVE-2016-10540, RHSA-2016:1582-01, RHSA-2016:1583-01, VIGILANCE-VUL-20342.

Description of the vulnerability

An attacker can generate a fatal error via RegExp of Node.js minimatch, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability 20320

Node.js node-krb5: privilege escalation

Synthesis of the vulnerability

An attacker can spoof a KDC for Node.js node-krb5, in order to escalate his privileges.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet server.
Creation date: 05/08/2016.
Identifiers: VIGILANCE-VUL-20320.

Description of the vulnerability

The node-krb5 module can be installed on Node.js to add a Kerberos authentication.

The first step of a Kerberos client is an identification with a Key Distribution Center (KDC). However, the node-krb5 module does not check the KDC identity, which may be used to spoof user credentials.

An attacker can therefore spoof a KDC for Node.js node-krb5, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 20287

Node.js sanitize-html: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js sanitize-html, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 02/08/2016.
Identifiers: VIGILANCE-VUL-20287.

Description of the vulnerability

The sanitize-html module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js sanitize-html, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 20268

Node.js ezseed-transmission: Man-in-the-Middle

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on Node.js ezseed-transmission, in order to read or write data in the session.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 01/08/2016.
Identifiers: VIGILANCE-VUL-20268.

Description of the vulnerability

The Node.js ezseed-transmission product uses the TLS protocol, in order to create secure sessions.

However, the X.509 certificate and the service identity are not correctly checked.

An attacker can therefore act as a Man-in-the-Middle on Node.js ezseed-transmission, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 20216

Node.js fuelux: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js fuelux, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/07/2016.
Identifiers: VIGILANCE-VUL-20216.

Description of the vulnerability

The fuelux module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js fuelux, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 20215

Node.js jqTree: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js jqTree, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/07/2016.
Identifiers: VIGILANCE-VUL-20215.

Description of the vulnerability

The jqTree module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js jqTree, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 20214

Node.js swagger-ui: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js swagger-ui, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/07/2016.
Identifiers: VIGILANCE-VUL-20214.

Description of the vulnerability

The swagger-ui module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js swagger-ui, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 20213

Node.js emojione: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js emojione, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/07/2016.
Identifiers: VIGILANCE-VUL-20213.

Description of the vulnerability

The emojione module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js emojione, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 20212

Node.js rendr-handlebars: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js rendr-handlebars, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/07/2016.
Identifiers: VIGILANCE-VUL-20212.

Description of the vulnerability

The rendr-handlebars module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js rendr-handlebars, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Nodejs Modules ~ not comprehensive: