CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Nodejs » Node.js : Security Vulnerabilities Published In 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-15897 200 +Info 2017-12-11 2017-12-29
4.3
None Remote Medium Not required Partial None None
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
2 CVE-2017-15896 Bypass 2017-12-11 2019-10-03
6.4
None Remote Low Not required Partial Partial None
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
3 CVE-2017-14919 20 DoS 2017-10-30 2017-11-21
5.0
None Remote Low Not required None None Partial
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
4 CVE-2017-14849 22 Dir. Trav. 2017-09-28 2019-10-03
5.0
None Remote Low Not required Partial None None
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
5 CVE-2017-11499 20 2017-07-25 2017-12-07
5.0
None Remote Low Not required None None Partial
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
6 CVE-2015-8860 59 2017-01-23 2017-01-24
5.0
None Remote Low Not required None Partial None
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
7 CVE-2015-8859 200 +Info 2017-01-23 2017-03-02
5.0
None Remote Low Not required Partial None None
The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
8 CVE-2015-8856 79 XSS 2017-01-23 2017-03-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.
9 CVE-2015-8855 399 DoS 2017-01-23 2017-01-26
7.8
None Remote Low Not required None None Complete
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
10 CVE-2015-8854 399 DoS 2017-01-23 2020-05-31
7.8
None Remote Low Not required None None Complete
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
11 CVE-2015-8315 399 DoS 2017-01-23 2017-03-02
7.8
None Remote Low Not required None None Complete
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
12 CVE-2015-7384 400 DoS 2017-10-10 2017-10-27
5.0
None Remote Low Not required None None Partial
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
13 CVE-2015-2927 399 DoS 2017-09-20 2019-11-25
6.8
None Remote Low ??? None None Complete
node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption).
14 CVE-2014-9772 79 XSS Bypass 2017-01-23 2017-03-29
4.3
None Remote Medium Not required None Partial None
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
15 CVE-2014-3744 22 Dir. Trav. 2017-10-23 2017-11-15
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
16 CVE-2013-7454 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
17 CVE-2013-7453 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
18 CVE-2013-7452 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
19 CVE-2013-7451 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
Total number of vulnerabilities : 19   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.