Page 5 of 24 results (0.016 seconds)

CVSS: 10.0EPSS: 25%CPEs: 1EXPL: 2

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file. Vulnerabilidad de inyección Eval en index.js en el paquete de errores de sintaxis anterior a 1.1.1 para Node.js 0.10.x, utilizado en IBM Rational Application Developer y otros productos, permite a atacantes remotos ejecutar código arbitrario a través de un fichero manipulado. • https://www.exploit-db.com/exploits/34090 http://www-01.ibm.com/support/docview.wss?uid=swg21690815 https://exchange.xforce.ibmcloud.com/vulnerabilities/96728 https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309 https://nodesecurity.io/advisories/syntax-error-potential-script-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.0EPSS: 5%CPEs: 1EXPL: 0

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array. El módulo qs anterior a 1.0.0 en Node.js no llama a la función 'compact' en la matriz de datos, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria) usando un valor largo del index para crear una matriz dispersa. The nodejs-qs module has the ability to create sparse arrays during parsing. By specifying a high index in a querystring parameter it is possible to create a large array that will eventually take up all the allocated memory of the running process, resulting in a crash. • http://secunia.com/advisories/60026 http://secunia.com/advisories/62170 http://www-01.ibm.com/support/docview.wss?uid=swg21685987 http://www-01.ibm.com/support/docview.wss?uid=swg21687263 http://www-01.ibm.com/support/docview.wss?uid=swg21687928 https://access.redhat.com/errata/RHSA-2016:1380 https://exchange.xforce.ibmcloud.com/vulnerabilities/96729 https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8 https://github.com/visionmedia/node-querystring/issues/104& • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •

CVSS: 7.5EPSS: 2%CPEs: 8EXPL: 1

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory. visionmedia send anterior a 0.8.4 para Node.js utiliza una comparación parcial para verificar si un directorio está dentro del root del documento, lo que permite a atacantes remotos acceder a directorios restringidos, tal y como fue demostrado mediante el uso de 'público restringido' bajo un directorio 'publico'. • http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html http://secunia.com/advisories/62170 http://www-01.ibm.com/support/docview.wss?uid=swg21687263 http://www.openwall.com/lists/oss-security/2014/09/24/1 http://www.openwall.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.4EPSS: 97%CPEs: 28EXPL: 3

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. OpenSSL anterior a 0.9.8za, 1.0.0 anterior a 1.0.0m y 1.0.1 anterior a 1.0.1h no restringe debidamente el procesamiento de mensajes ChangeCipherSpec, lo que permite a atacantes man-in-the-middle provocar el uso de una clave maestra de longitud cero en ciertas comunicaciones OpenSSL-a-OpenSSL, y como consecuencia secuestrar sesiones u obtener información sensible, a través de una negociación TLS manipulada, también conocido como la vulnerabilidad de 'inyección CCS'. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. • https://github.com/secretnonempty/CVE-2014-0224 https://github.com/iph0n3/CVE-2014-0224 http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.asc http://ccsinjection.lepidum.co.jp http://dev.mysql.com/doc/relnotes/workbench/en/wb-news-6-1-7.html http://esupport.trendmicro.com/solution/en-US/1103813.aspx http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10629 http://kb.juniper.net/InfoCenter/index?page=content&id=KB29195 http://kb.juniper.net/InfoCenter/ • CWE-326: Inadequate Encryption Strength CWE-841: Improper Enforcement of Behavioral Workflow •