The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2017-16125 | rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16124 | node-server-forfront is a simple static file server. node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16123 | welcomyzt is a simple file server. welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16122 | cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16121 | datachannel-client is a signaling implementation for DataChannel.js. datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16120 | liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16119 | Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. | MEDIUM | Jun 6, 2018 |
CVE-2017-16118 | The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. | MEDIUM | Jun 12, 2018 |
CVE-2017-16117 | slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds. | MEDIUM | Jun 6, 2018 |
CVE-2017-16116 | The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. | MEDIUM | Oct 9, 2019 |
CVE-2017-16115 | The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds. | MEDIUM | Jun 6, 2018 |
CVE-2017-16114 | The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. | MEDIUM | Jun 6, 2018 |
CVE-2017-16113 | The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed. | MEDIUM | Jun 6, 2018 |
CVE-2017-16112 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs:CVE-2017-15010. Reason: This candidate is a reservation duplicate of CVE-2017-15010. Notes: All CVE users should reference CVE-2017-15010 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 |
CVE-2017-16111 | The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header. | MEDIUM | Jun 6, 2018 |
CVE-2017-16110 | weather.swlyons is a simple web server for weather updates. weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16109 | easyquick is a simple web server. easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a not supported error. | MEDIUM | Jun 6, 2018 |
CVE-2017-16108 | gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16107 | pooledwebsocket is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16106 | tmock is a static file server. tmock is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16105 | serverwzl is a simple http server. serverwzl is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16104 | citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16103 | serveryztyzt is a simple http server. serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16102 | serverhuwenhui is a simple http server. serverhuwenhui is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16101 | serverwg is a simple http server. serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16100 | dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible. | HIGH | Jun 6, 2018 |
CVE-2017-16099 | The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition. | MEDIUM | Jun 6, 2018 |
CVE-2017-16098 | charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low. | MEDIUM | Jun 6, 2018 |
CVE-2017-16097 | tiny-http is a simple http server. tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16096 | serveryaozeyan is a simple HTTP server. serveryaozeyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16095 | serverliujiayi1 is a simple http server. serverliujiayi1 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16094 | iter-http is a server for static files. iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16093 | cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16092 | Sencisho is a simple http server for local development. Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16091 | xtalk helps your browser talk to nodex, a simple web framework. xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16090 | fsk-server is a simple http server. fsk-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16089 | serverlyr is a simple http server. serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16088 | The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. | HIGH | Jun 6, 2018 |
CVE-2017-16086 | ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header. | MEDIUM | Jun 6, 2018 |
CVE-2017-16085 | tinyserver2 is a webserver for static files. tinyserver2 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16084 | list-n-stream is a server for static files to list and stream local videos. list-n-stream v0.0.10 or lower is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. | MEDIUM | Jun 6, 2018 |
CVE-2017-16083 | node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. | MEDIUM | Jun 6, 2018 |
CVE-2017-16082 | A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious. | HIGH | Jun 6, 2018 |
CVE-2017-16081 | cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | MEDIUM | Jun 6, 2018 |
CVE-2017-16080 | nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | MEDIUM | Jun 6, 2018 |
CVE-2017-16079 | smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | MEDIUM | Jun 6, 2018 |
CVE-2017-16078 | shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | MEDIUM | Jun 6, 2018 |
CVE-2017-16077 | mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | MEDIUM | Jun 6, 2018 |
CVE-2017-16076 | proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | MEDIUM | Jun 6, 2018 |
CVE-2017-16075 | http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | MEDIUM | Jun 6, 2018 |