HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-…

CVSS: 8.7 · CWE: CWE-79

View on NVD

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

CVSS: 10.0 · CWE: CWE-94

View on NVD

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.

CVSS: 8.5 · CWE: CWE-201

View on NVD

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure i…

CVSS: 7.5 · CWE: CWE-284

View on NVD

elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next a…

CVSS: 7.1 · CWE: CWE-362

View on NVD

TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes the issue.

CVSS: 7.5 · CWE: CWE-20

View on NVD

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.

CVSS: 8.0 · CWE: CWE-79

View on NVD

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We recommend customers upgrade to the following versions: AWS JDBC Wrapper to v2.6.5, AWS Go Wrapper to 2025-10-17, AWS Node…

CVSS: 8.0 · CWE: CWE-470

View on NVD

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.

CVSS: 8.7 · CWE: CWE-476

View on NVD

Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-a…

CVSS: 7.5 · CWE: CWE-755

View on NVD

content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provi…

CVSS: 8.8 · CWE: CWE-1321

View on NVD

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operat…

CVSS: 8.3 · CWE: CWE-285

View on NVD

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. An una…

CVSS: 7.3 · CWE: CWE-1392

View on NVD

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISA…

CVSS: 9.8 · CWE: CWE-1188

View on NVD

@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerability is fixed in 1.13.0.

CVSS: 9.2 · CWE: CWE-248

View on NVD

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype pollution, making the node js server running the OpenCTI frontend become unavailable. Version 6.5.2 fix…

CVSS: 7.6 · CWE: CWE-94

View on NVD

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.216, Tabby terminal emulator contains overly permissive entitlements that are unnecessary for its core functionality and plugin system, creating potential security vulnerabilities. The application currently holds powerful permissions including camera, microphone access, and the ability to access personal folders (D…

CVSS: 8.6 · CWE: CWE-276

View on NVD

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use t…

CVSS: 8.2 · CWE: CWE-79

View on NVD

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with

 and 

 t…

  
CVSS: 8.2 · CWE: CWE-79
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2023-7245
    https://nvd.nist.gov/vuln/detail/CVE-2023-7245
    Tue, 20 Feb 2024 11:15:07 +0000
    
High CVE-2023-7245

  
The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
  
CVSS: 7.8 · CWE: CWE-95
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2023-43646
    https://nvd.nist.gov/vuln/detail/CVE-2023-43646
    Wed, 27 Sep 2023 15:19:34 +0000
    
High CVE-2023-43646

  
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtrackin…
  
CVSS: 8.6 · CWE: CWE-400
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2023-40340
    https://nvd.nist.gov/vuln/detail/CVE-2023-40340
    Wed, 16 Aug 2023 15:15:11 +0000
    
High CVE-2023-40340

  
Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.
  
CVSS: 7.5 · CWE: N/A
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2023-37899
    https://nvd.nist.gov/vuln/detail/CVE-2023-37899
    Wed, 19 Jul 2023 20:15:10 +0000
    
High CVE-2023-37899

  
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`.  A fix has been released in versions 5.0.8…
  
CVSS: 7.5 · CWE: CWE-754
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2023-34232
    https://nvd.nist.gov/vuln/detail/CVE-2023-34232
    Thu, 08 Jun 2023 21:15:17 +0000
    
High CVE-2023-34232

  
snowflake-connector-nodejs, a NodeJS driver for Snowflake, is vulnerable to command injection via single sign on (SSO) browser URL authentication in versions prior to 1.6.21. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicio…
  
CVSS: 7.3 · CWE: CWE-77
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2023-23918
    https://nvd.nist.gov/vuln/detail/CVE-2023-23918
    Thu, 23 Feb 2023 20:15:13 +0000
    
High CVE-2023-23918

  
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
  
CVSS: 7.5 · CWE: CWE-863
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2022-35265
    https://nvd.nist.gov/vuln/detail/CVE-2022-35265
    Tue, 25 Oct 2022 17:15:54 +0000
    
High CVE-2022-35265

  
A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to denial of service. An attacker can send a sequence of requests to trigger this vulnerability.This denial of service is in the `/action/import_nodejs_app/` API.
  
CVSS: 7.5 · CWE: CWE-125
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2022-39266
    https://nvd.nist.gov/vuln/detail/CVE-2022-39266
    Thu, 29 Sep 2022 18:15:10 +0000
    
Critical CVE-2022-39266

  
isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.
  
CVSS: 9.6 · CWE: CWE-20
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2022-37434
    https://nvd.nist.gov/vuln/detail/CVE-2022-37434
    Fri, 05 Aug 2022 07:15:07 +0000
    
Critical CVE-2022-37434

  
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
  
CVSS: 9.8 · CWE: CWE-787
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2022-36127
    https://nvd.nist.gov/vuln/detail/CVE-2022-36127
    Mon, 18 Jul 2022 12:15:08 +0000
    
High CVE-2022-36127

  
A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.
  
CVSS: 7.5 · CWE: N/A
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2022-24434
    https://nvd.nist.gov/vuln/detail/CVE-2022-24434
    Fri, 20 May 2022 20:15:09 +0000
    
High CVE-2022-24434

  
This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
  
CVSS: 7.5 · CWE: N/A
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-41117
    https://nvd.nist.gov/vuln/detail/CVE-2021-41117
    Mon, 11 Oct 2021 17:15:07 +0000
    
High CVE-2021-41117

  
keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, i…
  
CVSS: 8.7 · CWE: CWE-335
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-3777
    https://nvd.nist.gov/vuln/detail/CVE-2021-3777
    Wed, 15 Sep 2021 08:15:06 +0000
    
High CVE-2021-3777

  
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
  
CVSS: 7.5 · CWE: CWE-1333
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-39199
    https://nvd.nist.gov/vuln/detail/CVE-2021-39199
    Tue, 07 Sep 2021 19:15:08 +0000
    
Critical CVE-2021-39199

  
remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2…
  
CVSS: 10.0 · CWE: CWE-79
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-29486
    https://nvd.nist.gov/vuln/detail/CVE-2021-29486
    Fri, 30 Apr 2021 18:15:07 +0000
    
High CVE-2021-29486

  
cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. In versions prior to 2.0.0 apps using this library on improper data may crash or go into an infinite-loop. In the case of a nodejs server-app using this library to act on invalid non-numeric data, the nodejs server may crash. This may affec…
  
CVSS: 7.5 · CWE: CWE-20
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-23280
    https://nvd.nist.gov/vuln/detail/CVE-2021-23280
    Tue, 13 Apr 2021 19:15:14 +0000
    
High CVE-2021-23280

  
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.
  
CVSS: 8.0 · CWE: CWE-434
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-21421
    https://nvd.nist.gov/vuln/detail/CVE-2021-21421
    Thu, 01 Apr 2021 22:15:11 +0000
    
High CVE-2021-21421

  
node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later.
  
CVSS: 8.1 · CWE: CWE-200
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-21413
    https://nvd.nist.gov/vuln/detail/CVE-2021-21413
    Tue, 30 Mar 2021 23:15:14 +0000
    
High CVE-2021-21413

  
isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed…
  
CVSS: 8.0 · CWE: CWE-913
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2021-21297
    https://nvd.nist.gov/vuln/detail/CVE-2021-21297
    Fri, 26 Feb 2021 17:15:12 +0000
    
High CVE-2021-21297

  
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is…
  
CVSS: 7.7 · CWE: CWE-915
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2020-5977
    https://nvd.nist.gov/vuln/detail/CVE-2020-5977
    Fri, 23 Oct 2020 18:15:16 +0000
    
High CVE-2020-5977

  
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.
  
CVSS: 7.8 · CWE: CWE-426
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2020-15477
    https://nvd.nist.gov/vuln/detail/CVE-2020-15477
    Thu, 23 Jul 2020 20:15:11 +0000
    
Critical CVE-2020-15477

  
The WebControl in RaspberryTortoise through 2012-10-28 is vulnerable to remote code execution via shell metacharacters in a URI. The file nodejs/raspberryTortoise.js has no validation on the parameter incomingString before passing it to the child_process.exec function.
  
CVSS: 9.8 · CWE: CWE-78
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2019-4001
    https://nvd.nist.gov/vuln/detail/CVE-2019-4001
    Tue, 24 Mar 2020 22:15:12 +0000
    
High CVE-2019-4001

  
Improper input validation in Druva inSync Client 6.5.0 allows a local, authenticated attacker to execute arbitrary NodeJS code.
  
CVSS: 7.8 · CWE: CWE-20
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2019-15606
    https://nvd.nist.gov/vuln/detail/CVE-2019-15606
    Fri, 07 Feb 2020 15:15:11 +0000
    
Critical CVE-2019-15606

  
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
  
CVSS: 9.8 · CWE: CWE-20
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2019-6644
    https://nvd.nist.gov/vuln/detail/CVE-2019-6644
    Wed, 04 Sep 2019 17:15:11 +0000
    
Critical CVE-2019-6644

  
Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.
  
CVSS: 9.4 · CWE: N/A
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2017-16042
    https://nvd.nist.gov/vuln/detail/CVE-2017-16042
    Mon, 04 Jun 2018 19:29:02 +0000
    
Critical CVE-2017-16042

  
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
  
CVSS: 9.8 · CWE: CWE-94
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10647
    https://nvd.nist.gov/vuln/detail/CVE-2016-10647
    Mon, 04 Jun 2018 16:29:00 +0000
    
High CVE-2016-10647

  
node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
  
CVSS: 8.1 · CWE: CWE-311
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10626
    https://nvd.nist.gov/vuln/detail/CVE-2016-10626
    Fri, 01 Jun 2018 18:29:02 +0000
    
High CVE-2016-10626

  
mystem3 is a NodeJS wrapper for the Yandex MyStem 3. mystem3 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
  
CVSS: 8.1 · CWE: CWE-311
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10622
    https://nvd.nist.gov/vuln/detail/CVE-2016-10622
    Fri, 01 Jun 2018 18:29:01 +0000
    
High CVE-2016-10622

  
nodeschnaps is a NodeJS compatibility layer for Java (Rhino). nodeschnaps downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
  
CVSS: 8.1 · CWE: CWE-311
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10618
    https://nvd.nist.gov/vuln/detail/CVE-2016-10618
    Fri, 01 Jun 2018 18:29:01 +0000
    
High CVE-2016-10618

  
node-browser is a wrapper webdriver by nodejs. node-browser downloads resources over HTTP, which leaves it vulnerable to MITM attacks.
  
CVSS: 8.1 · CWE: CWE-311
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10554
    https://nvd.nist.gov/vuln/detail/CVE-2016-10554
    Thu, 31 May 2018 20:29:02 +0000
    
Critical CVE-2016-10554

  
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping.
  
CVSS: 9.8 · CWE: CWE-89
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10553
    https://nvd.nist.gov/vuln/detail/CVE-2016-10553
    Thu, 31 May 2018 20:29:01 +0000
    
Critical CVE-2016-10553

  
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.1.3 and earlier.
  
CVSS: 9.8 · CWE: CWE-89
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10550
    https://nvd.nist.gov/vuln/detail/CVE-2016-10550
    Thu, 31 May 2018 20:29:01 +0000
    
Critical CVE-2016-10550

  
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.
  
CVSS: 9.8 · CWE: CWE-89
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10593
    https://nvd.nist.gov/vuln/detail/CVE-2016-10593
    Tue, 29 May 2018 20:29:01 +0000
    
High CVE-2016-10593

  
ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
  
CVSS: 8.1 · CWE: CWE-311
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10578
    https://nvd.nist.gov/vuln/detail/CVE-2016-10578
    Tue, 29 May 2018 20:29:01 +0000
    
High CVE-2016-10578

  
unicode loads unicode data downloaded from unicode.org into nodejs. Unicode before 9.0.0 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.
  
CVSS: 8.1 · CWE: CWE-311
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-10556
    https://nvd.nist.gov/vuln/detail/CVE-2016-10556
    Tue, 29 May 2018 20:29:00 +0000
    
High CVE-2016-10556

  
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `["tes…
  
CVSS: 7.5 · CWE: CWE-89
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2017-1000228
    https://nvd.nist.gov/vuln/detail/CVE-2017-1000228
    Fri, 17 Nov 2017 03:29:00 +0000
    
Critical CVE-2017-1000228

  
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
  
CVSS: 9.8 · CWE: CWE-20
  
View on NVD
]]>
    
  
  
    
    https://nvd.nist.gov/vuln/detail/CVE-2017-1000189
    https://nvd.nist.gov/vuln/detail/CVE-2017-1000189
    Fri, 17 Nov 2017 03:29:00 +0000
    
High CVE-2017-1000189

  
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
  
CVSS: 7.5 · CWE: CWE-20
  
View on NVD
]]>