Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
node.js vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2021-21388
systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation before 5.6.4. The issue has been fixed with a parameter check on user input. Please upgrade to version >= 5...
9.8
CVSSv3
CVE-2021-26275
The eslint-fixer package up to and including 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub repository has been in...
Eslint-fixer Project Eslint-fixer
9.8
CVSSv3
CVE-2021-27185
The samba-client package prior to 4.0.0 for Node.js allows command injection because of the use of process.exec.
Samba-client Project Samba-client
9.8
CVSSv3
CVE-2021-3190
The async-git package prior to 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
Async-git Project Async-git
9.8
CVSSv3
CVE-2019-0230
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Apache Struts
Oracle Financial Services Market Risk Measurement And Management 8.0.6
Oracle Communications Policy Management 12.5.0
Oracle Financial Services Data Integration Hub 8.0.6
Oracle Financial Services Data Integration Hub 8.0.3
Oracle Mysql Enterprise Monitor
10 Github repositories
1 Article
9.8
CVSSv3
CVE-2020-24660
An issue exists in LemonLDAP::NG up to and including 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions prior to 0.5.2 of the "Lemonldap::NG handler for Node.js&...
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 10.0
9.8
CVSSv3
CVE-2018-21268
The traceroute (aka node-traceroute) package up to and including 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed...
Traceroute Project Traceroute
9.8
CVSSv3
CVE-2020-14968
An issue exists in the jsrsasign package prior to 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abu...
Jsrsasign Project Jsrsasign
Netapp Max Data -
2 Github repositories
9.8
CVSSv3
CVE-2020-14967
An issue exists in the jsrsasign package prior to 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend...
Jsrsasign Project Jsrsasign
Netapp Max Data -
2 Github repositories
9.8
CVSSv3
CVE-2020-8149
Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1.
Logkitty Project Logkitty
1 Github repository
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322
CVE-2006-4304
wireless
CVE-2023-23022
local file inclusion
CVE-2024-27058
CVE-2024-33820
open redirect
CVE-2024-27079
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »