CVE-2014-7192 – Node Browserify 4.2.0 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-7192
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file. Vulnerabilidad de inyección Eval en index.js en el paquete de errores de sintaxis anterior a 1.1.1 para Node.js 0.10.x, utilizado en IBM Rational Application Developer y otros productos, permite a atacantes remotos ejecutar código arbitrario a través de un fichero manipulado. • https://www.exploit-db.com/exploits/34090 http://www-01.ibm.com/support/docview.wss?uid=swg21690815 https://exchange.xforce.ibmcloud.com/vulnerabilities/96728 https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309 https://nodesecurity.io/advisories/syntax-error-potential-script-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2014-6394
https://notcve.org/view.php?id=CVE-2014-6394
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory. visionmedia send anterior a 0.8.4 para Node.js utiliza una comparación parcial para verificar si un directorio está dentro del root del documento, lo que permite a atacantes remotos acceder a directorios restringidos, tal y como fue demostrado mediante el uso de 'público restringido' bajo un directorio 'publico'. • http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139415.html http://secunia.com/advisories/62170 http://www-01.ibm.com/support/docview.wss?uid=swg21687263 http://www.openwall.com/lists/oss-security/2014/09/24/1 http://www.openwall.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •