Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 216078 entries
IDDescriptionPriorityModified date
CVE-2017-16125 rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16124 node-server-forfront is a simple static file server. node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16123 welcomyzt is a simple file server. welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16122 cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16121 datachannel-client is a signaling implementation for DataChannel.js. datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16120 liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16119 Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. MEDIUM Jun 6, 2018
CVE-2017-16118 The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. MEDIUM Jun 12, 2018
CVE-2017-16117 slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds. MEDIUM Jun 6, 2018
CVE-2017-16116 The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. MEDIUM Oct 9, 2019
CVE-2017-16115 The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds. MEDIUM Jun 6, 2018
CVE-2017-16114 The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. MEDIUM Jun 6, 2018
CVE-2017-16113 The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed. MEDIUM Jun 6, 2018
CVE-2017-16112 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs:CVE-2017-15010. Reason: This candidate is a reservation duplicate of CVE-2017-15010. Notes: All CVE users should reference CVE-2017-15010 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage -- Nov 7, 2023
CVE-2017-16111 The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header. MEDIUM Jun 6, 2018
CVE-2017-16110 weather.swlyons is a simple web server for weather updates. weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16109 easyquick is a simple web server. easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a not supported error. MEDIUM Jun 6, 2018
CVE-2017-16108 gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16107 pooledwebsocket is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16106 tmock is a static file server. tmock is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16105 serverwzl is a simple http server. serverwzl is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16104 citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16103 serveryztyzt is a simple http server. serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16102 serverhuwenhui is a simple http server. serverhuwenhui is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16101 serverwg is a simple http server. serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16100 dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible. HIGH Jun 6, 2018
CVE-2017-16099 The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition. MEDIUM Jun 6, 2018
CVE-2017-16098 charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low. MEDIUM Jun 6, 2018
CVE-2017-16097 tiny-http is a simple http server. tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16096 serveryaozeyan is a simple HTTP server. serveryaozeyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16095 serverliujiayi1 is a simple http server. serverliujiayi1 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16094 iter-http is a server for static files. iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16093 cyber-js is a simple http server. A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16092 Sencisho is a simple http server for local development. Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16091 xtalk helps your browser talk to nodex, a simple web framework. xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16090 fsk-server is a simple http server. fsk-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16089 serverlyr is a simple http server. serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16088 The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. HIGH Jun 6, 2018
CVE-2017-16086 ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header. MEDIUM Jun 6, 2018
CVE-2017-16085 tinyserver2 is a webserver for static files. tinyserver2 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16084 list-n-stream is a server for static files to list and stream local videos. list-n-stream v0.0.10 or lower is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 6, 2018
CVE-2017-16083 node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL. MEDIUM Jun 6, 2018
CVE-2017-16082 A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious. HIGH Jun 6, 2018
CVE-2017-16081 cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 6, 2018
CVE-2017-16080 nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 6, 2018
CVE-2017-16079 smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 6, 2018
CVE-2017-16078 shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 6, 2018
CVE-2017-16077 mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 6, 2018
CVE-2017-16076 proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 6, 2018
CVE-2017-16075 http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 6, 2018
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online