CVE-2020-5284 – Directory Traversal in Next.js versions below 9.3.2
https://notcve.org/view.php?id=CVE-2020-5284
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. • https://github.com/zeit/next.js/releases/tag/v9.3.2 https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVE-2019-5415
https://notcve.org/view.php?id=CVE-2019-5415
A bug in handling the ignore files and directories feature in serve 6.5.3 allows an attacker to read a file or list the directory that the victim has not allowed access to. Un error en el manejo de los archivos ignore y en la funcionalidad de directorios en serve 6.5.3 permite que un atacante lea un archivo o liste el directorio al que la víctima no ha permitido el acceso. • https://hackerone.com/reports/330724 • CWE-269: Improper Privilege Management CWE-548: Exposure of Information Through Directory Listing •
CVE-2019-5417
https://notcve.org/view.php?id=CVE-2019-5417
A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server. Un error de salto de directorio en el paquete de npm serve, en su versión 7.0.1, permite que los atacantes lean contenido de archivos arbitrarios en el servidor remoto. • https://hackerone.com/reports/358645 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-18282
https://notcve.org/view.php?id=CVE-2018-18282
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. Next.js 7.0.0 y 7.0.1 tiene Cross-Site Scripting (XSS) mediante las páginas /_error 404 o 500. • https://github.com/ossf-cve-benchmark/CVE-2018-18282 https://github.com/zeit/next.js/releases/tag/7.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-3718
https://notcve.org/view.php?id=CVE-2018-3718
serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded. El módulo de node serve sufre de una gestión incorrecta del cifrado de una URL al permitir el acceso a archivos ignorados si un nombre de archivo está codificado como una URL. • https://github.com/ossf-cve-benchmark/CVE-2018-3718 https://hackerone.com/reports/308721 • CWE-177: Improper Handling of URL Encoding (Hex Encoding) •