Vulnerabilidades em HackerOne

470 resultados
CVE-2017-0901RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any fEPSS 29.4%CVE-2018-3758Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.EPSS 27.5%CVE-2018-3760There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. SpeciaEPSS 26.7%CVE-2017-0938Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplificatiEPSS 21.0%CVE-2017-0903RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem speEPSS 15.9%CVE-2017-0899RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. PrintinEPSS 10.8%CVE-2017-16082A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column EPSS 10.5%CVE-2017-0898Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus valEPSS 9.7%CVE-2017-16086ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack whEPSS 9.2%CVE-2018-3714node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read conEPSS 8.6%CVE-2015-9235In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetEPSS 8.3%CVE-2016-10542ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". BEPSS 7.5%CVE-2018-3779active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoEPSS 6.1%CVE-2017-16100dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible.EPSS 5.1%CVE-2018-3746The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on thEPSS 4.9%CVE-2016-10555Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent tEPSS 4.9%CVE-2017-0902RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client EPSS 4.8%CVE-2017-16042Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing foEPSS 4.4%CVE-2018-3774Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass AutEPSS 3.8%CVE-2017-16226The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to acceEPSS 3.6%