[last-commit-log] Command Injection |
Command Injection - Generic |
bilk0h |
High |
2020-11-29 |
[systeminformation] Command Injection via insecure command formatting |
Command Injection - Generic |
effectrenan |
Critical |
2020-11-16 |
[node-downloader-helper] Path traversal via Content-Disposition header |
Path Traversal |
ryotak |
Medium |
2020-11-11 |
[expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure |
Information Disclosure |
mik317 |
Medium |
2020-10-29 |
[ts-dot-prop] Prototype Pollution |
None supplied |
prathis |
Medium |
2020-10-29 |
[zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files |
Path Traversal |
ryotak |
Low |
2020-10-29 |
[nested-property] Prototype Pollution |
Modification of Assumed-Immutable Data (MAID) |
johnssimon007 |
Medium |
2020-10-27 |
[gfc] Command Injection via insecure command formatting |
Command Injection - Generic |
d3lla |
Critical |
2020-10-27 |
[http-live-simulator] Application-level DoS |
Denial of Service |
ryotak |
Medium |
2020-10-27 |
[create-git] RCE via insecure command formatting |
Code Injection |
mik317 |
Critical |
2020-10-26 |
[json8-merge-patch] Prototype Pollution |
Modification of Assumed-Immutable Data (MAID) |
gkmr |
High |
2020-10-18 |
[freespace] Command Injection due to Lack of Sanitization |
Command Injection - Generic |
ansuj |
Medium |
2020-10-14 |
[tianma-static] Security issue with XSS. |
Cross-site Scripting (XSS) - Stored |
wooeong22 |
No rating |
2020-10-12 |
[m-server] XSS reflected because path does not escapeHtml |
Cross-site Scripting (XSS) - Reflected |
0xd0ff |
No rating |
2020-09-28 |
[hnzserver] Path Traversal allowing to read any files on the server |
Path Traversal |
lightangel1412 |
High |
2020-09-24 |
[http_server] Path Traversal allowing to read any files on the server |
Path Traversal |
lightangel1412 |
High |
2020-09-24 |
[snekserve] Stored XSS via filenames HTML formatted |
Cross-site Scripting (XSS) - Stored |
mik317 |
Medium |
2020-09-24 |
[git-lib] RCE via insecure command formatting |
Code Injection |
mik317 |
Medium |
2020-09-24 |
[gity] RCE via insecure command formatting |
Code Injection |
mik317 |
Medium |
2020-09-24 |
property-expr - Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
ahihi |
High |
2020-09-24 |
[commit-msg] RCE via insecure command formatting |
Code Injection |
mik317 |
Medium |
2020-09-24 |
[@knutkirkhorn/free-space] - Command Injection through Lack of Sanitization |
Command Injection - Generic |
ansuj |
Medium |
2020-09-18 |
[authmagic-timerange-stateless-core] Improper Authentication |
Improper Authentication - Generic |
ermilov |
High |
2020-09-16 |
[authmagic-timerange-stateless-core] Improper Authentication |
Improper Authentication - Generic |
ermilov |
High |
2020-09-16 |
[keyd] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
d3lla |
High |
2020-09-14 |
[flsaba] Stored XSS in the file and directory name when directories listing |
Cross-site Scripting (XSS) - Stored |
d3lla |
Low |
2020-09-14 |
[objtools] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
d3lla |
High |
2020-09-14 |
[extend-merge] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
d3lla |
High |
2020-09-06 |
[static-server-gx] Path Traversal allowing to read any files on the server |
Path Traversal |
lightangel1412 |
High |
2020-09-03 |
[sirloin] Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
bp0lr |
High |
2020-08-30 |
[hangersteak] Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
bp0lr |
High |
2020-08-30 |
[bl] Uninitialized memory exposure via negative .consume() |
Buffer Over-read |
chalker |
High |
2020-08-27 |
[notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser |
Code Injection |
phra |
High |
2020-08-27 |
[json-bigint] DoS via `__proto__` assignment |
Denial of Service |
chalker |
High |
2020-08-26 |
[min-http-server] List any file in the folder by using path traversal. |
Path Traversal |
toannc123 |
High |
2020-08-26 |
[windows-edge] RCE via insecure command formatting |
Code Injection |
mik317 |
Critical |
2020-08-25 |
Prototype pollution attack (lodash) |
Denial of Service |
macasun |
Medium |
2020-08-25 |
[meemo-app] Denial of Service via LDAP Injection |
LDAP Injection |
d3lla |
Critical |
2020-08-22 |
[cloudron-surfer] Denial of Service via LDAP Injection |
LDAP Injection |
d3lla |
Critical |
2020-08-22 |
Prototype Pollution lodash 4.17.15 |
Denial of Service |
awarau |
High |
2020-08-21 |
Arbitrary code execution via untrusted schemas in ajv |
Code Injection |
chalker |
Low |
2020-08-14 |
[wappalyzer] ReDoS allows an attacker to completely break Wappalyzer |
Denial of Service |
vrechson |
High |
2020-08-07 |
[is-my-json-valid] ReDoS via 'style' format |
Denial of Service |
chalker |
High |
2020-07-31 |
Arbitrary code execution via untrusted schemas in is-my-json-valid |
Code Injection |
chalker |
Medium |
2020-07-31 |
Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS |
Denial of Service |
chalker |
Medium |
2020-07-29 |
SQL Injection or Denial of Service due to a Prototype Pollution |
SQL Injection |
phra |
Critical |
2020-07-24 |
[diskstats] Command Injection via insecure command concatenation |
Command Injection - Generic |
d3lla |
Critical |
2020-07-23 |
[express-cart] Wide CSRF in application |
Cross-Site Request Forgery (CSRF) |
saddeann |
Medium |
2020-07-21 |
[Uppy] Internal Server side request forgery (bypass of #786956) |
Server-Side Request Forgery (SSRF) |
mahmoud0x00 |
Critical |
2020-06-28 |
bunyan - RCE via insecure command formatting |
Code Injection |
ahihi |
High |
2020-06-27 |
[wappalyzer] ReDoS allows an attacker to completely break Wappalyzer |
Denial of Service |
vrechson |
High |
2020-06-18 |
[devcert] Command Injection via insecure command formatting |
Command Injection - Generic |
d3lla |
Critical |
2020-06-15 |
OS Command Injection on Jison [all-parser-ports] |
OS Command Injection |
0x48piraj |
Medium |
2020-05-28 |
Pixel flood attack cause the javascript heap out of memory |
Denial of Service |
mayaseven |
Medium |
2020-05-21 |
[logkitty] RCE via insecure command formatting |
Code Injection |
mik317 |
High |
2020-05-09 |
Prototype pollution attack (lodash) |
Allocation of Resources Without Limits or Throttling |
posix |
High |
2020-04-28 |
[Total.js] Path traversal vulnerability allows to read files outside public directory |
Path Traversal |
visat |
Medium |
2020-04-25 |
[utils-extend] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
sontungatm |
Critical |
2020-04-02 |
[htmr] DOM-based XSS |
Cross-site Scripting (XSS) - DOM |
visat |
Medium |
2020-03-15 |
Server-Side Request Forgery (SSRF) in Ghost CMS |
Server-Side Request Forgery (SSRF) |
whoareme |
Medium |
2020-03-09 |
Server Side Request Forgery in Uppy npm module |
Server-Side Request Forgery (SSRF) |
eslam-shieldfy |
High |
2020-03-02 |
[http_server] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Stored |
lightangel1412 |
Low |
2019-09-13 |
[untitled-model] sql injection |
SQL Injection |
verichains |
High |
2019-06-18 |
Prototype Pollution Vulnerability in cached-path-relative Package |
Denial of Service |
cris_semmle |
High |
2018-11-02 |
[tianma-static] Stored xss on filename |
Cross-site Scripting (XSS) - Stored |
abdilahrf_ |
Critical |
2018-11-02 |
[takeapeek] Path traversal allow to expose directory and files |
Path Traversal |
abdilahrf_ |
High |
2018-11-02 |
[knightjs] Path Traversal allows to read content of arbitrary files |
Path Traversal |
abdilahrf_ |
High |
2018-11-02 |
Prototype pollution attack (lodash / constructor.prototype) |
Denial of Service |
asgerf |
Low |
2018-10-30 |
Code Injection Vulnerability in morgan Package |
Code Injection |
cris_semmle |
Medium |
2018-10-28 |
Samlify is vulnerable to signature wrapping |
Cryptographic Issues - Generic |
webtonull |
High |
2018-10-23 |
[serve] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Stored |
tungpun |
Medium |
2018-10-19 |
[serve] XSS via HTML tag injection in directory lisiting page |
Cross-site Scripting (XSS) - Stored |
skyn3t |
Medium |
2018-10-19 |
[apex-publish-static-files] Command Injection on connectString |
Command Injection - Generic |
abdilahrf_ |
Critical |
2018-10-18 |
Command Injection Vulnerability in libnmap Package |
Command Injection - Generic |
cris_semmle |
Medium |
2018-10-14 |
Prototype pollution attack (merge.recursive) |
Denial of Service |
asgerf |
Low |
2018-09-28 |
Prototype pollution attack (defaults-deep / constructor.prototype) |
Denial of Service |
asgerf |
Low |
2018-09-28 |
http-live-simulator npm module is prone to path traversal attacks |
Path Traversal |
lirantal |
High |
2018-09-18 |
[express-cart] Customer and admin email enumeration through MongoDB injection |
SQL Injection |
becojo |
High |
2018-09-11 |
[ascii-art] Command injection |
Command Injection - Generic |
pontus_johnson |
High |
2018-09-08 |
Command Injection is ps Package |
Command Injection - Generic |
cris_semmle |
Medium |
2018-09-07 |
[samsung-remote] Command injection |
Command Injection - Generic |
pontus_johnson |
Critical |
2018-09-02 |
[exceljs] Possible XSS via cell value when worksheet is displayed in browser |
Cross-site Scripting (XSS) - Generic |
bl4de |
Medium |
2018-09-01 |
[simplehttpserver] List any file in the folder by using path traversal. |
Path Traversal |
n0n4me |
High |
2018-08-30 |
Prototype pollution attack (extend) |
Denial of Service |
asgerf |
Critical |
2018-08-22 |
[egg-scripts] Command injection |
Command Injection - Generic |
pontus_johnson |
High |
2018-08-19 |
[flintcms] Account takeover due to blind MongoDB injection in password reset |
Privilege Escalation |
becojo |
Critical |
2018-08-15 |
Arbitrary File Write through archive extraction |
Path Traversal |
danny_grander |
High |
2018-08-12 |
Arbitrary File Write Through Archive Extraction |
None supplied |
danny_grander |
High |
2018-08-12 |
Command Injection Vulnerability in win-fork/win-spawn Packages |
Command Injection - Generic |
cris_semmle |
High |
2018-08-10 |
url-parse package return wrong hostname |
Open Redirect |
0x9090 |
High |
2018-07-30 |
stored xss in scrape-metadata when reading metadata from an html page |
Cross-site Scripting (XSS) - Stored |
5ilverhawk |
High |
2018-07-27 |
[markdown-pdf] Local file reading |
Path Traversal |
n1__ |
Medium |
2018-07-20 |
[ponse] Path traversal in ponse module allows to read any file on server |
Path Traversal |
szkrstf |
High |
2018-07-20 |
Stored XSS in Node-Red |
Cross-site Scripting (XSS) - Stored |
misterch0c |
High |
2018-07-18 |
[entitlements] Command injection on the 'path' parameter |
Command Injection - Generic |
caioluders |
High |
2018-07-18 |
[statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser |
Cross-site Scripting (XSS) - Generic |
bl4de |
Critical |
2018-07-14 |
Privilege escalation allows any user to add an administrator |
Privilege Escalation |
patrickrbc |
Critical |
2018-07-12 |
[m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code |
Cross-site Scripting (XSS) - Stored |
bl4de |
Medium |
2018-07-12 |
[m-server] Path Traversal allows to display content of arbitrary file(s) from the server |
Path Traversal |
bl4de |
Medium |
2018-07-12 |
XSS in express-useragent through HTTP User-Agent |
Cross-site Scripting (XSS) - Generic |
ibrahimd |
No rating |
2018-07-06 |
[bruteser] Path Traversal allows to read content of arbitrary file |
Path Traversal |
bl4de |
Medium |
2018-07-04 |
[buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser |
Cross-site Scripting (XSS) - Stored |
bl4de |
Medium |
2018-07-04 |
[serve] Server Directory Traversal |
Path Traversal |
tungpun |
Critical |
2018-07-02 |
Privilage escalation with malicious .npmrc |
Privilege Escalation |
ginden |
High |
2018-06-30 |
`memjs` allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage |
Denial of Service |
chalker |
Critical |
2018-06-27 |
[buttle] Path traversal in mid-buttle module allows to read any file in the server. |
Path Traversal |
n0n4me |
Critical |
2018-06-27 |
Insecure implementation of deserialization in cryo |
Code Injection |
greendog |
High |
2018-06-19 |
npm packages that overlap with core node packages |
Phishing |
mlucool |
High |
2018-06-16 |
[git-dummy-commit] Command injection on the msg parameter |
OS Command Injection |
caioluders |
Critical |
2018-06-15 |
Insecure implementation of deserialization in funcster |
Code Injection |
greendog |
High |
2018-06-15 |
`njwt` allocates uninitialized Buffers when number is passed in base64urlEncode input |
Out-of-bounds Read |
chalker |
Low |
2018-06-14 |
Remote Command Execution vulnerability in pullit |
Command Injection - Generic |
lirantal |
Critical |
2018-06-14 |
[file-static-server] Path Traversal allows to read content of arbitrary file on the server |
Path Traversal |
bl4de |
Low |
2018-06-14 |
`utile` allocates uninitialized Buffers when number is passed in input |
Out-of-bounds Read |
chalker |
Low |
2018-06-14 |
`put` allocates uninitialized Buffers when non-round numbers are passed in input |
Out-of-bounds Read |
chalker |
Low |
2018-06-14 |
[mcstatic] Server Directory Traversal |
Path Traversal |
tungpun |
High |
2018-06-12 |
[html-pages] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Generic |
tungpun |
High |
2018-06-12 |
[public] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Generic |
tungpun |
Medium |
2018-06-12 |
Unrestricted file upload (RCE) |
Path Traversal |
patrickrbc |
Critical |
2018-06-02 |
[serve] Directory listing and File access even when they have been set to be ignored |
Information Exposure Through Directory Listing |
tungpun |
Critical |
2018-05-31 |
[localhost-now] bypassing url filter which leads to read content of arbitrary file |
Path Traversal |
dienpv |
High |
2018-05-30 |
[serve] Directory listing and File access even when they have been set to be ignored (using dot-slash) |
Information Exposure Through Directory Listing |
tungpun |
Critical |
2018-05-30 |
Command injection in 'pdf-image' |
Command Injection - Generic |
defmax |
Medium |
2018-05-29 |
[sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name |
Cross-site Scripting (XSS) - Stored |
bl4de |
Medium |
2018-05-29 |
[hekto] open redirect when target domain name is used as html filename on server |
Open Redirect |
brainpanic |
Low |
2018-05-20 |
[html-pages] Path Traversal in html-pages module allows to read any file from the server with curl |
Path Traversal |
bl4de |
Critical |
2018-05-19 |
[query-mysql] SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database |
SQL Injection |
bl4de |
Critical |
2018-05-19 |
The react-marked-markdown module allows XSS injection in href values. |
Cross-site Scripting (XSS) - Generic |
ronperris |
Critical |
2018-05-13 |
`base64-url` below 2.0 allocates uninitialized Buffers when number is passed in input |
Out-of-bounds Read |
chalker |
High |
2018-05-12 |
`sql` does not properly escape parameters when building SQL queries, resulting in potential SQLi |
SQL Injection |
chalker |
Medium |
2018-05-12 |
`npmconf` (and `npm` js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x |
Out-of-bounds Read |
chalker |
High |
2018-05-12 |
`byte` allocates uninitialized buffers and reads data from them past the initialized length |
Out-of-bounds Read |
chalker |
Medium |
2018-05-11 |
`base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below |
Out-of-bounds Read |
chalker |
High |
2018-05-11 |
`macaddress` concatenates unsanitized input into exec() command |
Command Injection - Generic |
chalker |
Critical |
2018-05-11 |
`command-exists` concatenates unsanitized input into exec()/execSync() commands |
Command Injection - Generic |
chalker |
Critical |
2018-05-11 |
[buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag |
OS Command Injection |
bl4de |
Critical |
2018-05-11 |
Bypass to defective fix of Path Traversal |
Path Traversal |
caioluders |
High |
2018-05-11 |
`fs-path` concatenates unsanitized input into exec()/execSync() commands |
Command Injection - Generic |
chalker |
Critical |
2018-05-11 |
`stringstream` allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below |
Out-of-bounds Read |
chalker |
Medium |
2018-05-11 |
`superstatic` is vulnerable to path traversal on Windows |
Path Traversal |
chalker |
High |
2018-04-29 |
`foreman` is vulnerable to ReDoS in path |
Denial of Service |
chalker |
High |
2018-04-28 |
`concat-with-sourcemaps` allocates uninitialized Buffers when number is passed as a separator |
Out-of-bounds Read |
chalker |
Medium |
2018-04-28 |
[angular-http-server] Server Directory Traversal |
Path Traversal |
tungpun |
High |
2018-04-26 |
[cloudcmd] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Generic |
tungpun |
High |
2018-04-25 |
[mcstatic] Path Traversal allows to read content of arbitrary files |
Path Traversal |
bl4de |
High |
2018-04-24 |
[pdfinfojs] Command Injection on filename parameter |
Command Injection - Generic |
caioluders |
High |
2018-04-19 |
Prototype pollution attack (merge-objects) |
None supplied |
holyvier |
Medium |
2018-04-15 |
Prototype pollution attack (merge-options) |
None supplied |
holyvier |
Low |
2018-04-15 |
Prototype pollution attack (merge-recursive) |
None supplied |
holyvier |
Low |
2018-04-15 |
Prototype pollution attack (deep-extend) |
None supplied |
holyvier |
Low |
2018-04-15 |
Prototype pollution attack (deap) |
None supplied |
holyvier |
Low |
2018-04-15 |
[glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser |
Cross-site Scripting (XSS) - Stored |
bl4de |
Low |
2018-04-15 |
[public] Stored XSS in filenames in directory served by public |
Cross-site Scripting (XSS) - Stored |
bl4de |
Low |
2018-04-15 |
[bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template |
Cross-site Scripting (XSS) - Reflected |
bl4de |
High |
2018-04-09 |
`atob` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below |
Out-of-bounds Read |
chalker |
Medium |
2018-04-08 |
`http-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak |
Denial of Service |
chalker |
High |
2018-04-05 |
`sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys |
Denial of Service |
chalker |
High |
2018-04-04 |
[crud-file-server] Path Traversal allows to read arbitrary file from the server |
Path Traversal |
bl4de |
Medium |
2018-04-04 |
`https-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak |
Denial of Service |
chalker |
High |
2018-04-02 |
`protobufjs` is vulnerable to ReDoS when parsing crafted invalid *.proto files |
Denial of Service |
chalker |
Medium |
2018-03-31 |
`whereis` concatenates unsanitized input into exec() command |
Command Injection - Generic |
chalker |
Critical |
2018-03-28 |
[metascraper] Stored XSS in Open Graph meta properties read by metascrapper |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-03-28 |
[serve] Directory listing and File access even when they have been set to be ignored. |
Information Exposure Through Directory Listing |
0xchr00t |
Critical |
2018-03-13 |
[general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server |
Path Traversal |
bl4de |
High |
2018-03-10 |
[node-srv] Path Traversal allows to read arbitrary files from remote server |
Path Traversal |
bl4de |
High |
2018-03-07 |
[stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s) |
Path Traversal |
bl4de |
High |
2018-03-06 |
[glance] Path Traversal in glance static file server allows to read content of arbitrary file |
Path Traversal |
bl4de |
High |
2018-03-04 |
[simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript |
Cross-site Scripting (XSS) - Stored |
bl4de |
High |
2018-03-02 |
[angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server |
Path Traversal |
bl4de |
High |
2018-03-01 |
[uppy] Stored XSS due to crafted SVG file |
Cross-site Scripting (XSS) - Stored |
alyssa_herrera |
Medium |
2018-03-01 |
[hekto] Path Traversal vulnerability allows to read content of arbitrary files |
Path Traversal |
bl4de |
High |
2018-02-26 |
[simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-02-26 |
[anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-02-26 |
[626] Path Traversal allows to read arbitrary file from remote server |
Path Traversal |
bl4de |
High |
2018-02-26 |
[localhost-now] Path Traversal allows to read content of arbitrary file |
Path Traversal |
bl4de |
High |
2018-02-26 |
Path Traversal on Resolve-Path |
Path Traversal |
orange |
High |
2018-02-22 |
[crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-02-17 |
[public] Path Traversal allows to read content of arbitrary files |
Path Traversal |
bl4de |
High |
2018-02-17 |
Prototype pollution attack (defaults-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
Prototype pollution attack (merge-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
Prototype pollution attack (assign-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
Prototype pollution attack (mixin-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
Prototype pollution attack (Hoek) |
Denial of Service |
holyvier |
Low |
2018-02-13 |
Prototype pollution attack (lodash) |
Denial of Service |
holyvier |
Low |
2018-02-13 |
[html-janitor] Passing user-controlled data to clean() leads to XSS |
Cross-site Scripting (XSS) - DOM |
bayotop |
Critical |
2018-02-09 |
[html-janitor] Bypassing sanitization using DOM clobbering |
Business Logic Errors |
bayotop |
High |
2018-02-05 |
Fastify denial-of-service vulnerability with large JSON payloads |
Denial of Service |
nwoltman |
Critical |
2018-01-25 |
[serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url |
Path Traversal |
bl4de |
Critical |
2018-01-23 |
[augustine] Static Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
ysx |
Medium |
2018-01-23 |
[lactate] Static Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
ysx |
Medium |
2018-01-23 |
[redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component |
Cross-site Scripting (XSS) - Reflected |
ysx |
Low |
2018-01-23 |
[serve-here] Static Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
ysx |
Medium |
2018-01-10 |
[featurebook] Specification Server Directory Traversal via Crafted Browser Request |
Path Traversal |
ysx |
Medium |
2018-01-10 |