Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): npm
- Search Type: Search All
- CPE Name Search: false
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2016-10603 |
air-sdk is a NPM wrapper for the Adobe AIR SDK. air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server. Published: June 01, 2018; 2:29:01 PM -0400 |
V3.0: 8.1 HIGH V2.0: 9.3 HIGH |
CVE-2016-10579 |
Chromedriver is an NPM wrapper for selenium ChromeDriver. Chromedriver before 2.26.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server. Published: June 01, 2018; 2:29:00 PM -0400 |
V3.0: 8.1 HIGH V2.0: 6.8 MEDIUM |
CVE-2018-3746 |
The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine. Published: June 01, 2018; 1:29:00 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2016-10562 |
iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions below 3.0.0 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server. Published: May 31, 2018; 4:29:02 PM -0400 |
V3.0: 8.1 HIGH V2.0: 9.3 HIGH |
CVE-2016-10541 |
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection. Published: May 31, 2018; 4:29:01 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2017-16062 |
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Published: May 29, 2018; 4:29:02 PM -0400 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-16061 |
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Published: May 29, 2018; 4:29:02 PM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-16047 |
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Published: May 29, 2018; 4:29:02 PM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-16003 |
windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. Published: May 29, 2018; 4:29:02 PM -0400 |
V3.0: 8.1 HIGH V2.0: 9.3 HIGH |
CVE-2016-10658 |
native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. Published: May 29, 2018; 4:29:01 PM -0400 |
V3.1: 8.1 HIGH V2.0: 9.3 HIGH |
CVE-2016-10601 |
webdrvr is a npm wrapper for Selenium Webdriver including Chromedriver / IEDriver / IOSDriver / Ghostdriver. webdrvr downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server. Published: May 29, 2018; 4:29:01 PM -0400 |
V3.0: 8.1 HIGH V2.0: 9.3 HIGH |
CVE-2018-7560 |
index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service (ReDoS) issue via a crafted multipart/form-data boundary string. Published: March 04, 2018; 3:29:00 PM -0500 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-7408 |
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. Published: February 22, 2018; 1:29:00 PM -0500 |
V3.0: 7.8 HIGH V2.0: 4.6 MEDIUM |
CVE-2016-10703 |
A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by passing a maliciously crafted string. Published: December 14, 2017; 2:29:00 PM -0500 |
V3.1: 7.5 HIGH V2.0: 7.8 HIGH |
CVE-2017-1000219 |
npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user Published: November 16, 2017; 7:29:00 PM -0500 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2017-8914 |
sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. Published: May 23, 2017; 12:29:02 AM -0400 |
V3.0: 8.3 HIGH V2.0: 7.5 HIGH |
CVE-2016-3012 |
IBM API Connect (aka APIConnect) before 5.0.3.0 with NPM before 2.2.8 includes certain internal server credentials in the software package, which might allow remote attackers to bypass intended access restrictions by leveraging knowledge of these credentials. Published: December 01, 2016; 6:59:04 AM -0500 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2016-3956 |
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers. Published: July 02, 2016; 10:59:19 AM -0400 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |