# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
22601 |
CVE-2017-16084 |
22 |
|
Dir. Trav. |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
list-n-stream is a server for static files to list and stream local videos. list-n-stream v0.0.10 or lower is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
22602 |
CVE-2017-16083 |
22 |
|
Dir. Trav. |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. |
22603 |
CVE-2017-16082 |
94 |
|
Exec Code |
2018-06-06 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious. |
22604 |
CVE-2017-16081 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22605 |
CVE-2017-16080 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22606 |
CVE-2017-16079 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22607 |
CVE-2017-16078 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22608 |
CVE-2017-16077 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22609 |
CVE-2017-16076 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22610 |
CVE-2017-16075 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22611 |
CVE-2017-16074 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22612 |
CVE-2017-16073 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
noderequest was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22613 |
CVE-2017-16072 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22614 |
CVE-2017-16071 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
nodemailer-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22615 |
CVE-2017-16070 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
nodecaffe was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22616 |
CVE-2017-16069 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
nodeffmpeg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22617 |
CVE-2017-16068 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
ffmepg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22618 |
CVE-2017-16067 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
node-opencv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22619 |
CVE-2017-16066 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
opencv.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22620 |
CVE-2017-16065 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
openssl.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22621 |
CVE-2017-16064 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
node-openssl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22622 |
CVE-2017-16063 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
node-opensl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22623 |
CVE-2017-16062 |
200 |
|
+Info |
2018-05-29 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22624 |
CVE-2017-16061 |
200 |
|
+Info |
2018-05-29 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22625 |
CVE-2017-16060 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
babelcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22626 |
CVE-2017-16059 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
mssql-node was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22627 |
CVE-2017-16058 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
gruntcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22628 |
CVE-2017-16057 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
nodemssql was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22629 |
CVE-2017-16056 |
200 |
|
+Info |
2018-06-06 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22630 |
CVE-2017-16055 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22631 |
CVE-2017-16054 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22632 |
CVE-2017-16053 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22633 |
CVE-2017-16052 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22634 |
CVE-2017-16051 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22635 |
CVE-2017-16050 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22636 |
CVE-2017-16049 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22637 |
CVE-2017-16048 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22638 |
CVE-2017-16047 |
200 |
|
+Info |
2018-05-29 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22639 |
CVE-2017-16046 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22640 |
CVE-2017-16045 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22641 |
CVE-2017-16044 |
200 |
|
+Info |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
22642 |
CVE-2017-16043 |
74 |
|
|
2018-06-04 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3. |
22643 |
CVE-2017-16042 |
78 |
|
Exec Code |
2018-06-04 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution. |
22644 |
CVE-2017-16041 |
319 |
|
|
2018-06-04 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks. |
22645 |
CVE-2017-16040 |
319 |
|
Exec Code |
2018-06-04 |
2019-10-09 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. |
22646 |
CVE-2017-16039 |
22 |
|
Dir. Trav. |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
22647 |
CVE-2017-16038 |
22 |
|
Dir. Trav. |
2018-06-04 |
2018-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run. |
22648 |
CVE-2017-16037 |
22 |
|
Dir. Trav. |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL. |
22649 |
CVE-2017-16036 |
22 |
|
Dir. Trav. |
2018-06-04 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
`badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
22650 |
CVE-2017-16035 |
319 |
|
|
2018-06-04 |
2019-10-09 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation. |