CVE-2016-10686
CVE-2016-10686
In short
fis-sass-all downloads files over unencrypted HTTP instead of secure HTTPS, allowing attackers on the network to intercept and replace those files with malicious versions, potentially executing harmful code on your computer.
Technical detail
The package downloads binary resources over HTTP without encryption, exposing it to man-in-the-middle attacks. An attacker positioned on the network path can intercept the download and substitute malicious binaries, leading to arbitrary remote code execution in the context of the application using fis-sass-all.
Summary generated and translated by AI from the official description.
fis-sass-all is another libsass wrapper for node. fis-sass-all downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · fis-sass-all node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://nodesecurity.io/advisories/287