Filtered by vendor Nodejs
Subscribe
Total
146 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-2927 | 3 Debian, Nodejs, Uronode | 3 Debian Linux, Node.js, Uro Node | 2019-11-25 | 6.8 MEDIUM | 6.5 MEDIUM |
node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption). | |||||
CVE-2017-16024 | 2 Nodejs, Sync-exec Project | 2 Node.js, Sync-exec | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists. | |||||
CVE-2017-14849 | 1 Nodejs | 1 Node.js | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. | |||||
CVE-2013-4450 | 1 Nodejs | 1 Nodejs | 2018-08-13 | 5.0 MEDIUM | N/A |
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response. | |||||
CVE-2016-5325 | 2 Nodejs, Suse | 2 Node.js, Linux Enterprise | 2018-01-04 | 4.3 MEDIUM | 6.1 MEDIUM |
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. | |||||
CVE-2016-7099 | 2 Nodejs, Suse | 2 Node.js, Linux Enterprise | 2018-01-04 | 4.3 MEDIUM | 5.9 MEDIUM |
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. | |||||
CVE-2017-11499 | 1 Nodejs | 1 Node.js | 2017-12-06 | 5.0 MEDIUM | 7.5 HIGH |
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. | |||||
CVE-2017-14919 | 1 Nodejs | 1 Node.js | 2017-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. | |||||
CVE-2014-3744 | 1 Nodejs | 1 Node.js | 2017-11-15 | 5.0 MEDIUM | 7.5 HIGH |
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. | |||||
CVE-2015-7384 | 1 Nodejs | 1 Node.js | 2017-10-27 | 5.0 MEDIUM | 7.5 HIGH |
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. | |||||
CVE-2014-7191 | 1 Nodejs | 1 Node.js | 2017-09-07 | 5.0 MEDIUM | N/A |
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array. | |||||
CVE-2016-2216 | 2 Fedoraproject, Nodejs | 2 Fedora, Node.js | 2017-06-30 | 4.3 MEDIUM | 7.5 HIGH |
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a. | |||||
CVE-2016-2086 | 2 Fedoraproject, Nodejs | 2 Fedora, Node.js | 2017-06-30 | 5.0 MEDIUM | 7.5 HIGH |
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. | |||||
CVE-2015-8027 | 1 Nodejs | 1 Node.js | 2017-06-30 | 5.0 MEDIUM | 7.5 HIGH |
Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request. | |||||
CVE-2014-9772 | 1 Nodejs | 1 Node.js | 2017-03-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. | |||||
CVE-2015-8859 | 1 Nodejs | 1 Node.js | 2017-03-01 | 5.0 MEDIUM | 5.3 MEDIUM |
The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors. | |||||
CVE-2015-8856 | 1 Nodejs | 1 Node.js | 2017-03-01 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name. | |||||
CVE-2015-8315 | 1 Nodejs | 1 Node.js | 2017-03-01 | 7.8 HIGH | 7.5 HIGH |
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | |||||
CVE-2015-8855 | 1 Nodejs | 1 Node.js | 2017-01-26 | 7.8 HIGH | 7.5 HIGH |
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | |||||
CVE-2015-8860 | 1 Nodejs | 1 Node.js | 2017-01-24 | 5.0 MEDIUM | 7.5 HIGH |
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. |