CVSS: 6.8EPSS: 0%CPEs: 35EXPL: 1CVE-2021-3672 – c-ares: Missing input validation of host names may lead to domain hijacking
https://notcve.org/view.php?id=CVE-2021-3672
10 Aug 2021 — A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. Se ha encontrado un fallo en la biblioteca c-ares, en la que una falta de comprobación de la comprobación de entrada de los nombres de host devueltos por los DNS (Servidores de Nombres d... • https://bugzilla.redhat.com/show_bug.cgi?id=1988342 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2021-22921
https://notcve.org/view.php?id=CVE-2021-22921
12 Jul 2021 — Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. Node.js versiones anteriores a 16.4.1, 14.17.2 y 12.22.2, es vulnerable a ataques de escalada de privilegios locales bajo determinadas condiciones en plataformas Windows. Más concretamente, una ... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2021-22918 – libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes
https://notcve.org/view.php?id=CVE-2021-22918
07 Jul 2021 — Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). Node.js versiones anteriores a 16.4.1, 14.17.2, 12.22.2, es vulnerable a una lectura fuera de límites cuando la función uv__idna... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-125: Out-of-bounds Read •