The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Nodejs Modules ~ not comprehensive

computer vulnerability announce 20937

Node.js sails: privilege escalation via CORS

Synthesis of the vulnerability

An attacker can bypass restrictions via CORS of Node.js sails, in order to escalate his privileges.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 21/10/2016.
Identifiers: VIGILANCE-VUL-20937.

Description of the vulnerability

An attacker can bypass restrictions via CORS of Node.js sails, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 20898

Node.js reduce-css-calc: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Node.js reduce-css-calc, in order to run code.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 18/10/2016.
Identifiers: VIGILANCE-VUL-20898.

Description of the vulnerability

An attacker can use a vulnerability of Node.js reduce-css-calc, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 20897

Node.js nunjucks: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js nunjucks, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/10/2016.
Identifiers: VIGILANCE-VUL-20897.

Description of the vulnerability

The nunjucks module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js nunjucks, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 20896

Node.js pouchdb: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Node.js pouchdb, in order to run code.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 18/10/2016.
Identifiers: VIGILANCE-VUL-20896.

Description of the vulnerability

An attacker can use a vulnerability of Node.js pouchdb, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 20895

Node.js plotly.js: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js plotly.js, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/10/2016.
Identifiers: VIGILANCE-VUL-20895.

Description of the vulnerability

The plotly.js module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js plotly.js, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 20894

Node.js uws: denial of service

Synthesis of the vulnerability

An attacker can generate a fatal error of Node.js uws, in order to trigger a denial of service.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 18/10/2016.
Identifiers: VIGILANCE-VUL-20894.

Description of the vulnerability

An attacker can generate a fatal error of Node.js uws, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability 20490

Node.js cookie-signature: information disclosure via Timing Attack

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Timing Attack of Node.js cookie-signature, in order to obtain sensitive information.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 30/08/2016.
Identifiers: VIGILANCE-VUL-20490.

Description of the vulnerability

An attacker can use a Timing Attack on Node.js cookie-signature, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 20483

Node.js mqtt: denial of service via MQTT

Synthesis of the vulnerability

An attacker can send a malicious MQTT packet to Node.js mqtt, in order to trigger a denial of service.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 29/08/2016.
Identifiers: VIGILANCE-VUL-20483.

Description of the vulnerability

The Node.js mqtt product has a service to manage received MQTT packets.

However, when a malicious packet is received, a fatal error occurs.

An attacker can therefore send a malicious MQTT packet to Node.js mqtt, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 20482

Node.js pivottable: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js pivottable, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 29/08/2016.
Identifiers: VIGILANCE-VUL-20482.

Description of the vulnerability

The pivottable module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js pivottable, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 20481

Node.js c3: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Node.js c3, in order to run JavaScript code in the context of the web site.
Impacted products: Nodejs Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 29/08/2016.
Identifiers: VIGILANCE-VUL-20481.

Description of the vulnerability

The c3 module can be installed on Node.js.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Node.js c3, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Nodejs Modules ~ not comprehensive: