CVE-2020-5284 – Directory Traversal in Next.js versions below 9.3.2
https://notcve.org/view.php?id=CVE-2020-5284
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. • https://github.com/zeit/next.js/releases/tag/v9.3.2 https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVE-2018-18282
https://notcve.org/view.php?id=CVE-2018-18282
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. Next.js 7.0.0 y 7.0.1 tiene Cross-Site Scripting (XSS) mediante las páginas /_error 404 o 500. • https://github.com/ossf-cve-benchmark/CVE-2018-18282 https://github.com/zeit/next.js/releases/tag/7.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-6184
https://notcve.org/view.php?id=CVE-2018-6184
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace. ZEIT Next.js 4 en versiones anteriores a la 4.2.3 tiene un salto de directorio bajo el espacio de nombre de petición /_next. • https://github.com/ossf-cve-benchmark/CVE-2018-6184 https://github.com/zeit/next.js/releases/tag/4.2.3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-16877
https://notcve.org/view.php?id=CVE-2017-16877
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. ZEIT Next.js en versiones anteriores a la 2.4.1 contiene salto de directorio en el espacio de nombre de petición /_next y /static, lo que permite que los atacantes obtengan información sensible. • https://github.com/ossf-cve-benchmark/CVE-2017-16877 https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00 https://github.com/zeit/next.js/releases/tag/2.4.1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •