Monthly Archive: June 2018

`jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Date published : 2018-06-04 https://nodesecurity.io/advisories/496

`d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. Date published : 2018-06-04 https://nodesecurity.io/advisories/497

Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim’s browser. Affects shout >=0.44.0

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution. Date published : 2018-06-04 https://github.com/tj/node-growl/issues/60 https://github.com/tj/node-growl/pull/61

ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks. Date published : 2018-06-04 https://nodesecurity.io/advisories/249

gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested...

`hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-04 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/hftp...

`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run....

`gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing ‘../’ in the URL. Date published : 2018-06-04 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/gomeplus-h5-proxy https://nodesecurity.io/advisories/350

`badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Date published : 2018-06-04 https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/badjs-sourcemap-server https://nodesecurity.io/advisories/349

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however...

Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the...

Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server...

hostr is a simple web server that serves up the contents of the current directory. There is a directory traversal vulnerability in hostr 2.3.5 and earlier that allows an attacker to read files outside...