Monthly Archive: May 2018

aerospike is an Aerospike add-on module for Node.js. aerospike versions below 2.4.2 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution...

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is...

waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline’s `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious...

When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication. Date published : 2018-05-29 https://github.com/dwyl/hapi-auth-jwt2/issues/111 https://github.com/dwyl/hapi-auth-jwt2/pull/112

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 generates an error message that includes sensitive information about its environment, users, or associated data. IBM X-Force ID: 136471. Date published : 2018-05-29 http://www.securityfocus.com/bid/104493 http://www.ibm.com/support/docview.wss?uid=swg22016515

gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-05-29 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/gaoxuyan https://nodesecurity.io/advisories/378

node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Date published : 2018-05-29 https://nodesecurity.io/advisories/501

tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Date published : 2018-05-29 https://nodesecurity.io/advisories/500

mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Date published : 2018-05-29 https://nodesecurity.io/advisories/494

i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting...

windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause...

VMware Horizon Client for Linux (4.x before 4.8.0 and prior) contains a local privilege escalation vulnerability due to insecure usage of SUID binary. Successful exploitation of this issue may allow unprivileged users to escalate...

Symantec Advanced Secure Gateway (ASG) 6.6 and 6.7, and ProxySG 6.5, 6.6, and 6.7 are susceptible to a SAML authentication bypass vulnerability. The products can be configured with a SAML authentication realm to authenticate...

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. Date published : 2018-05-29 https://hackerone.com/reports/321686