The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2020-28450 | This affects all versions of package decal. The vulnerability is in the extend function. | -- | Feb 4, 2021 | n/a |
| CVE-2020-28449 | This affects all versions of package decal. The vulnerability is in the set function. | -- | Feb 4, 2021 | n/a |
| CVE-2020-28438 | This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js | -- | Jul 25, 2022 | n/a |
| CVE-2022-24434 | This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes. | MEDIUM | May 20, 2022 | n/a |
| CVE-2021-23732 | This affects all versions of package docker-cli-js. If the command parameter of the Docker.command method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system. | HIGH | Nov 22, 2021 | n/a |
| CVE-2020-7757 | This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server. | -- | Nov 3, 2020 | n/a |
| CVE-2021-23427 | This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation. | HIGH | Sep 1, 2021 | n/a |
| CVE-2021-23428 | This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal | HIGH | Sep 1, 2021 | n/a |
| CVE-2020-7687 | This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js. | MEDIUM | Jul 27, 2020 | n/a |
| CVE-2020-28435 | This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js. | -- | Jul 25, 2022 | n/a |
| CVE-2021-23376 | This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2021-23385 | This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\\\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using \'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore. | -- | Aug 2, 2022 | n/a |
| CVE-2021-23401 | This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\\\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using \'autocorrect_location_header=False. | MEDIUM | Jul 8, 2021 | n/a |
| CVE-2020-7775 | This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js. | -- | Feb 2, 2021 | n/a |
| CVE-2020-28434 | This affects all versions of package gitblame. The injection point is located in line 15 in lib/gitblame.js. | -- | Aug 2, 2022 | n/a |
| CVE-2020-28483 | This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client\'s IP can be spoofed by setting the X-Forwarded-For header. | -- | Jan 20, 2021 | n/a |
| CVE-2021-23772 | This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder. | MEDIUM | Dec 24, 2021 | n/a |
| CVE-2020-28466 | This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git. | MEDIUM | Mar 7, 2021 | n/a |
| CVE-2020-7711 | This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. | MEDIUM | Aug 23, 2020 | n/a |
| CVE-2020-7666 | This affects all versions of package github.com/u-root/u-root/pkg/cpio. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction. | MEDIUM | Sep 4, 2020 | n/a |
| CVE-2020-7669 | This affects all versions of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction. | MEDIUM | Sep 1, 2020 | n/a |
| CVE-2020-7665 | This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction. | MEDIUM | Sep 4, 2020 | n/a |
| CVE-2020-28436 | This affects all versions of package google-cloudstorage-commands. | -- | Jul 25, 2022 | n/a |
| CVE-2020-7641 | This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | -- | Jul 17, 2022 | n/a |
| CVE-2020-28437 | This affects all versions of package heroku-env. The injection point is located in lib/get.js which is required by index.js. | -- | Aug 2, 2022 | n/a |
| CVE-2021-23654 | This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files. | HIGH | Nov 26, 2021 | n/a |
| CVE-2020-28477 | This affects all versions of package immer. | MEDIUM | Jan 22, 2021 | n/a |
| CVE-2021-23328 | This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | -- | Jan 29, 2021 | n/a |
| CVE-2020-28462 | This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | -- | Jul 25, 2022 | n/a |
| CVE-2020-7777 | This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so I assume that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution. | -- | Nov 23, 2020 | n/a |
| CVE-2021-23820 | This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays. | HIGH | Nov 5, 2021 | n/a |
| CVE-2020-7766 | This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution. | HIGH | Nov 10, 2020 | n/a |
| CVE-2021-23356 | This affects all versions of package kill-process-by-name. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. | HIGH | Mar 18, 2021 | n/a |
| CVE-2021-23381 | This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | HIGH | Apr 18, 2021 | n/a |
| CVE-2022-21144 | This affects all versions of package libxmljs. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument\'s toString value is not a Function object V8 will crash. | MEDIUM | May 3, 2022 | n/a |
| CVE-2020-7747 | This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller. | LOW | Oct 22, 2020 | n/a |
| CVE-2020-7786 | This affects all versions of package macfromip. The injection point is located in line 66 in macfromip.js. | HIGH | Feb 11, 2021 | n/a |
| CVE-2020-28459 | This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28455 | This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped. | -- | Jul 25, 2022 | n/a |
| CVE-2020-7682 | This affects all versions of package marked-tree. There is no path sanitization in the path provided at fs.readFile in index.js. | MEDIUM | Jul 27, 2020 | n/a |
| CVE-2020-7681 | This affects all versions of package marscode. There is no path sanitization in the path provided at fs.readFile in index.js. | MEDIUM | Jul 27, 2020 | n/a |
| CVE-2020-7697 | This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require(\'../server/getJsonByCurl\')(mock2easy, function (error, stdout) { if (error) { return res.json(500, error); } res.json(JSON.parse(stdout)); }, \'\', _data.interfaceUrl, query, _data.cookie,_data.interfaceType); | HIGH | Jul 30, 2020 | n/a |
| CVE-2020-28423 | This affects all versions of package monorepo-build. | -- | Aug 5, 2022 | n/a |
| CVE-2021-23432 | This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge() | HIGH | Aug 24, 2021 | n/a |
| CVE-2022-21213 | This affects all versions of package mout. The deepFillIn function can be used to \'fill missing properties recursively\', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544). | MEDIUM | Jun 18, 2022 | n/a |
| CVE-2020-7792 | This affects all versions of package mout. The deepFillIn function can be used to \'fill missing properties recursively\', while the deepMixIn \'mixes objects into the target object, recursively mixing existing child objects as well\'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution. | -- | Dec 11, 2020 | n/a |
| CVE-2021-23395 | This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. | MEDIUM | Jun 15, 2021 | n/a |
| CVE-2020-7678 | This affects all versions of package node-import. The params argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file index.js. | -- | Jul 25, 2022 | n/a |
| CVE-2020-28433 | This affects all versions of package node-latex-pdf. | -- | Aug 2, 2022 | n/a |
| CVE-2020-7740 | This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack. | -- | Oct 6, 2020 | n/a |
