Vulnerabilidades en HackerOne

470 resultados
CVE-2016-10536engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communicatioEPSS 1.0%CVE-2016-10538The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting userEPSS 1.0%CVE-2017-16006Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkable allows the use of `data:` URIs in links and can therefore execute jEPSS 1.0%CVE-2014-10065Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing forEPSS 1.0%CVE-2017-16018Restify is a framework for building REST APIs. Restify >=2.0.0 <=4.0.4 using URL encoded script tags in a non-existent URL, an attacker can EPSS 1.0%CVE-2018-3738protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.EPSS 1.0%CVE-2016-10534electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strEPSS 1.0%CVE-2017-16019GitBook is a command line tool (and Node.js library) for building beautiful books using GitHub/Git and Markdown (or AsciiDoc). Stored Cross-EPSS 0.9%CVE-2018-3743Open redirect in hekto <=0.2.3 when target domain name is used as html filename on server.EPSS 0.9%CVE-2017-16007node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based serversEPSS 0.9%CVE-2018-3755XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element uEPSS 0.9%CVE-2018-3771An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browseEPSS 0.9%CVE-2017-16022Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5EPSS 0.9%CVE-2015-9240Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matchedEPSS 0.9%CVE-2017-16224st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely differEPSS 0.9%CVE-2017-16008i18next is a language translation framework. Because of how the interpolation is implemented, making replacements from the dictionary one atEPSS 0.9%CVE-2017-16005Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the headerEPSS 0.9%CVE-2017-16015Forms is a library for easily creating HTML forms. Versions before 1.3.0 did not have proper html escaping. This means that if the applicatiEPSS 0.8%CVE-2018-3735bracket-template suffers from reflected XSS possible when variable passed via GET parameter is used in templateEPSS 0.8%CVE-2016-10524i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is usedEPSS 0.8%