| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
4951 |
CVE-2017-16070 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
nodecaffe was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4952 |
CVE-2017-16069 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
nodeffmpeg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4953 |
CVE-2017-16068 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ffmepg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4954 |
CVE-2017-16067 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
node-opencv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4955 |
CVE-2017-16066 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
opencv.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4956 |
CVE-2017-16065 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
openssl.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4957 |
CVE-2017-16064 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
node-openssl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4958 |
CVE-2017-16063 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
node-opensl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4959 |
CVE-2017-16062 |
200 |
|
+Info |
2018-05-29 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4960 |
CVE-2017-16061 |
200 |
|
+Info |
2018-05-29 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4961 |
CVE-2017-16060 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
babelcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4962 |
CVE-2017-16059 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
mssql-node was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4963 |
CVE-2017-16058 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
gruntcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4964 |
CVE-2017-16057 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
nodemssql was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4965 |
CVE-2017-16056 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4966 |
CVE-2017-16055 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4967 |
CVE-2017-16054 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4968 |
CVE-2017-16053 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4969 |
CVE-2017-16052 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4970 |
CVE-2017-16051 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4971 |
CVE-2017-16050 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4972 |
CVE-2017-16049 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4973 |
CVE-2017-16048 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4974 |
CVE-2017-16047 |
200 |
|
+Info |
2018-05-29 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4975 |
CVE-2017-16046 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4976 |
CVE-2017-16045 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4977 |
CVE-2017-16044 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
|
4978 |
CVE-2017-16039 |
22 |
|
Dir. Trav. |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
|
4979 |
CVE-2017-16038 |
22 |
|
Dir. Trav. |
2018-06-04 |
2018-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run. |
|
4980 |
CVE-2017-16037 |
22 |
|
Dir. Trav. |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL. |
|
4981 |
CVE-2017-16036 |
22 |
|
Dir. Trav. |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
`badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
|
4982 |
CVE-2017-16031 |
330 |
|
+Info |
2018-06-04 |
2018-07-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information. |
|
4983 |
CVE-2017-16030 |
|
|
|
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier. |
|
4984 |
CVE-2017-16029 |
22 |
|
Dir. Trav. |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
hostr is a simple web server that serves up the contents of the current directory. There is a directory traversal vulnerability in hostr 2.3.5 and earlier that allows an attacker to read files outside the current directory by sending `../` in the url path for GET requests. |
|
4985 |
CVE-2017-16028 |
338 |
|
|
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()). |
|
4986 |
CVE-2017-16023 |
20 |
|
DoS |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack. |
|
4987 |
CVE-2017-16014 |
388 |
|
DoS |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Http-proxy is a proxying library. Because of the way errors are handled in versions before 0.7.0, an attacker that forces an error can crash the server, causing a denial of service. |
|
4988 |
CVE-2017-16013 |
20 |
|
|
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. |
|
4989 |
CVE-2017-16005 |
347 |
|
|
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature. |
|
4990 |
CVE-2017-15999 |
319 |
|
|
2017-10-29 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required. |
|
4991 |
CVE-2017-15998 |
327 |
|
+Info |
2017-10-29 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the "NQ Contacts Backup & Restore" application 1.1 for Android, DES encryption with a static key is used to secure transmitted contact data. This makes it easier for remote attackers to obtain cleartext information by sniffing the network. |
|
4992 |
CVE-2017-15956 |
20 |
|
|
2017-10-29 |
2017-11-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File Download via the token parameter to download.php. |
|
4993 |
CVE-2017-15943 |
918 |
|
+Info |
2017-12-11 |
2017-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The configuration file import for applications, spyware and vulnerability objects functionality in the web interface in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, and 7.1.x before 7.1.14 allows remote attackers to conduct server-side request forgery (SSRF) attacks and consequently obtain sensitive information via vectors related to parsing of external entities. |
|
4994 |
CVE-2017-15942 |
|
|
DoS |
2017-12-11 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.13, and 8.0.x before 8.0.6 allows remote attackers to cause a denial of service via vectors related to the management interface. |
|
4995 |
CVE-2017-15938 |
119 |
|
DoS Overflow |
2017-10-27 |
2018-01-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash). |
|
4996 |
CVE-2017-15928 |
20 |
|
|
2017-10-27 |
2017-11-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parse_obj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication. |
|
4997 |
CVE-2017-15923 |
|
|
DoS |
2017-11-15 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Konversation 1.4.x, 1.5.x, 1.6.x, and 1.7.x before 1.7.3 allow remote attackers to cause a denial of service (crash) via vectors related to parsing of IRC color formatting codes. |
|
4998 |
CVE-2017-15921 |
476 |
|
|
2017-10-30 |
2017-11-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002010. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated. |
|
4999 |
CVE-2017-15920 |
476 |
|
|
2017-10-30 |
2017-11-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002054. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated. |
|
5000 |
CVE-2017-15908 |
835 |
|
|
2017-10-26 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service. |
