Page 4 of 23 results (0.007 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. El paquete validator en versiones anteriores a 2.0.0 para Node.js permite a atacantes remotos eludir el filtro de secuencias de comandos en sitios cruzados (XSS) a través de caracteres hex codificados. • http://www.openwall.com/lists/oss-security/2016/04/20/11 http://www.securityfocus.com/bid/97102 https://nodesecurity.io/advisories/43 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 28%CPEs: 33EXPL: 0

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. Desbordamiento de entero en la función MDC2_Update en crypto/mdc2/mdc2dgst.c en OpenSSL en versiones anteriores a 1.1.0 permite a atacantes remotos provocar una denegación de servicio (escritura fuera de límites y caída de aplicación) o tener otro posible impacto no especificado a través de vectores desconocidos. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759 http://www-01.ibm.com/support/docview.wss?uid=swg21995039 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www. • CWE-787: Out-of-bounds Write •

CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence. La función de Utf8DecoderBase::WriteUtf16Slow en unicode.decoder.cc en Google V8, al igual que como se usa en Node.js anterior a 0.12.6, io.js anterior a 1.8.3 y 2.x antes de 2.3.3 y otros productos, no verifica que haya memoria disponible para un par surrogado UTF-16, lo que permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria) o la posibilidad de causar otro impacto a través de una secuencia de bytes manipulada. • http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable http://www.securityfocus.com/bid/75556 https://codereview.chromium.org/1226493003 https://github.com/joyent/node/issues/25583 https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0

libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors. libuv anterior a 0.10.34 no cancela correctamente los privilegios de grupo, lo que permite a atacantes dependientes de contexto ganar privilegios a través de vectores no especificados. • http://advisories.mageia.org/MGASA-2015-0186.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:228 https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c https://github.com/libuv/libuv/pull/215 https://groups.google.com/forum/#%21msg/libuv/0JZxwLMtsMI/jraczskYWWQJ https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html https://security.gentoo.org/glsa/201611-10 • CWE-273: Improper Check for Dropped Privileges •

CVSS: 10.0EPSS: 25%CPEs: 1EXPL: 2

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file. Vulnerabilidad de inyección Eval en index.js en el paquete de errores de sintaxis anterior a 1.1.1 para Node.js 0.10.x, utilizado en IBM Rational Application Developer y otros productos, permite a atacantes remotos ejecutar código arbitrario a través de un fichero manipulado. • https://www.exploit-db.com/exploits/34090 http://www-01.ibm.com/support/docview.wss?uid=swg21690815 https://exchange.xforce.ibmcloud.com/vulnerabilities/96728 https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309 https://nodesecurity.io/advisories/syntax-error-potential-script-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') •