Monthly Archive: June 2018

hapi is a web and services application framework. When hapi >= 15.0.0

ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid. Date published : 2018-06-04 https://github.com/ceolter/ag-grid/issues/1287 https://nodesecurity.io/advisories/327

i18next is a language translation framework. Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary...

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows...

Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkable allows the use of `data:` URIs in links and can therefore execute javascript. Date published : 2018-06-04 https://github.com/jonschlinkert/remarkable/issues/227 https://nodesecurity.io/advisories/319

Http-signature is a "Reference implementation of Joyent’s HTTP Signature Scheme". In versions

An exploitable file write vulnerability exists in the memory module functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a file write resulting in a...

html-janitor node module suffers from a Cross-Site Scripting (XSS) vulnerability via clean() accepting user-controlled values. Date published : 2018-06-04 https://github.com/guardian/html-janitor/issues/34 https://hackerone.com/reports/308155

augustine node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path. Date published : 2018-06-04...

html-janitor node module suffers from an External Control of Critical State Data vulnerability via user-control of the ‘_sanitized’ variable causing sanitization to be bypassed. Date published : 2018-06-04 https://github.com/guardian/html-janitor/issues/35 https://hackerone.com/reports/308158

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused resulting...

IBM BigFix Platform 9.2 and 9.5 transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors. IBM X-Force ID: 143745. Date published : 2018-06-04 http://www.ibm.com/support/docview.wss?uid=swg22015754...

The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject. Date published : 2018-06-04 https://www.exploit-db.com/exploits/44833/ https://community.mybb.com/mods.php?action=changelog&pid=842

An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling...