bl4de

28 exploits Active since May 2018
CVE-2018-16459 GITHUB MEDIUM NO CODE
exceljs < 1.6 - Cross-Site Scripting via Cell Value
An unescaped payload in exceljs <v1.6 allows a possible XSS via cell value when worksheet is displayed in browser.
CVSS 6.1
CVE-2018-16484 GITHUB MEDIUM NO CODE
m-server < 1.4.2 - Stored Cross-Site Scripting via Folder Name
A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names.
CVSS 5.4
CVE-2018-16485 GITHUB MEDIUM NO CODE
m-server < 1.4.1 - Path Traversal via URL Slash Manipulation
Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request.
CVSS 6.5
CVE-2018-3712 GITHUB MEDIUM NO CODE
serve < 6.4.9 - Path Traversal via URL-Encoded Dot-Slash Sequences
serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.
CVSS 6.5
CVE-2018-3713 GITHUB MEDIUM NO CODE
angular-http-server < 1.6.0 - Path Traversal via possibleFilename
angular-http-server node module suffers from a Path Traversal vulnerability due to lack of validation of possibleFilename, which allows a malicious user to read content of any file with known path.
CVSS 6.5
CVE-2018-3714 GITHUB MEDIUM NO CODE
node-srv < 2.1.1 - Path Traversal via URL Parameter
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
CVSS 6.5
CVE-2018-3715 GITHUB MEDIUM NO CODE
glance < 3.0.4 - Path Traversal via Unvalidated Path Input
glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known path.
CVSS 6.5
CVE-2018-3716 GITHUB MEDIUM NO CODE
simplehttpserver < 0.1.0 - Cross-Site Scripting via Unvalidated Filename
simplehttpserver node module suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.
CVSS 5.4
CVE-2018-3717 GITHUB MEDIUM NO CODE
Sencha Connect < 2.14.0 - Cross-Site Scripting in Directory Middleware
connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
CVSS 5.4
CVE-2018-3724 GITHUB HIGH NO CODE
general-file-server - Path Traversal via currpath Parameter
general-file-server node module suffers from a Path Traversal vulnerability due to lack of validation of currpath, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3725 GITHUB HIGH NO CODE
hekto < 0.2.3 - Path Traversal via File Parameter
hekto node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3726 GITHUB MEDIUM NO CODE
crud-file-server < 0.8.0 - Cross-Site Scripting via File Name
crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.
CVSS 6.1
CVE-2018-3727 GITHUB HIGH NO CODE
626 - Path Traversal via File Parameter
626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3729 GITHUB HIGH NO CODE
localhost-now < 1.0.2 - Path Traversal via File Path Validation Bypass
localhost-now node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3730 GITHUB HIGH NO CODE
mcstatic - Path Traversal via filePath Parameter
mcstatic node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3731 GITHUB HIGH NO CODE
public.js < 0.1.3 - Path Traversal via filePath Parameter
public node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3733 GITHUB HIGH NO CODE
crud-file-server < 0.9.0 - Path Traversal via URL Validation Bypass
crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3734 GITHUB HIGH NO CODE
stattic < 0.3.0 - Path Traversal
stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3744 GITHUB CRITICAL NO CODE
html-pages - Path Traversal via cURL
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.
CVSS 9.8
CVE-2018-3747 GITHUB MEDIUM NO CODE
public.js < 0.1.3 - Cross-Site Scripting via HTML in Filename
The public node module versions <= 1.0.3 allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript.
CVSS 6.1
CVE-2018-3748 GITHUB MEDIUM NO CODE
glance <= 3.0.5 - Stored Cross-Site Scripting via Crafted File Name
There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.
CVSS 6.1
CVE-2018-3754 GITHUB HIGH NO CODE
query-mysql 0.0.0-0.0.2 - SQL Injection
Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database.
CVSS 8.8
CVE-2018-3755 GITHUB MEDIUM NO CODE
sexstatic <= 0.6.2 - Stored Cross-Site Scripting via Directory Name
XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name.
CVSS 6.1
CVE-2018-3771 GITHUB MEDIUM NO CODE
statics-server <= 0.0.9 - Cross-Site Scripting via Directory Index Filename
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVSS 6.1
CVE-2018-3773 GITHUB MEDIUM NO CODE
metascraper <= 3.9.2 - Stored Cross-Site Scripting in Open Graph Meta Properties
There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2.
CVSS 6.1