bl4de

28 exploits Active since May 2018
CVE-2018-16459 GITHUB MEDIUM NO CODE
Exceljs < 1.6 - XSS
An unescaped payload in exceljs <v1.6 allows a possible XSS via cell value when worksheet is displayed in browser.
CVSS 6.1
CVE-2018-16484 GITHUB MEDIUM NO CODE
M-server < 1.4.2 - XSS
A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names.
CVSS 5.4
CVE-2018-16485 GITHUB MEDIUM NO CODE
M-server < 1.4.1 - Path Traversal
Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request.
CVSS 6.5
CVE-2018-3712 GITHUB MEDIUM NO CODE
Zeit Serve < 6.4.9 - Path Traversal
serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.
CVSS 6.5
CVE-2018-3713 GITHUB MEDIUM NO CODE
Angular-http-server < 1.6.0 - Path Traversal
angular-http-server node module suffers from a Path Traversal vulnerability due to lack of validation of possibleFilename, which allows a malicious user to read content of any file with known path.
CVSS 6.5
CVE-2018-3714 GITHUB MEDIUM NO CODE
Node-srv < 2.1.1 - Path Traversal
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
CVSS 6.5
CVE-2018-3715 GITHUB MEDIUM NO CODE
Glance < 3.0.4 - Path Traversal
glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known path.
CVSS 6.5
CVE-2018-3716 GITHUB MEDIUM NO CODE
Simplehttpserver < 0.1.0 - XSS
simplehttpserver node module suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.
CVSS 5.4
CVE-2018-3717 GITHUB MEDIUM NO CODE
Sencha Connect < 2.14.0 - XSS
connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
CVSS 5.4
CVE-2018-3724 GITHUB HIGH NO CODE
General-file-server - Path Traversal
general-file-server node module suffers from a Path Traversal vulnerability due to lack of validation of currpath, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3725 GITHUB HIGH NO CODE
Hekto < 0.2.3 - Path Traversal
hekto node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3726 GITHUB MEDIUM NO CODE
Crud-file-server < 0.8.0 - XSS
crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.
CVSS 6.1
CVE-2018-3727 GITHUB HIGH NO CODE
626 - Path Traversal
626 node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3729 GITHUB HIGH NO CODE
Localhost-now < 1.0.2 - Path Traversal
localhost-now node module suffers from a Path Traversal vulnerability due to lack of validation of file, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3730 GITHUB HIGH NO CODE
Mcstatic - Path Traversal
mcstatic node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3731 GITHUB HIGH NO CODE
Public.js < 0.1.3 - Path Traversal
public node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3733 GITHUB HIGH NO CODE
Crud-file-server < 0.9.0 - Path Traversal
crud-file-server node module before 0.9.0 suffers from a Path Traversal vulnerability due to incorrect validation of url, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3734 GITHUB HIGH NO CODE
Stattic < 0.3.0 - Path Traversal
stattic node module suffers from a Path Traversal vulnerability due to lack of validation of path, which allows a malicious user to read content of any file with known path.
CVSS 7.5
CVE-2018-3744 GITHUB CRITICAL NO CODE
Html-pages - Path Traversal
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.
CVSS 9.8
CVE-2018-3747 GITHUB MEDIUM NO CODE
Public.js < 0.1.3 - XSS
The public node module versions <= 1.0.3 allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript.
CVSS 6.1
CVE-2018-3748 GITHUB MEDIUM NO CODE
Glance < 3.0.8 - XSS
There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.
CVSS 6.1
CVE-2018-3754 GITHUB HIGH NO CODE
Query-mysql - SQL Injection
Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database.
CVSS 8.8
CVE-2018-3755 GITHUB MEDIUM NO CODE
Sexstatic - XSS
XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name.
CVSS 6.1
CVE-2018-3771 GITHUB MEDIUM NO CODE
Statics-server < 0.0.9 - XSS
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVSS 6.1
CVE-2018-3773 GITHUB MEDIUM NO CODE
Metascraper < 3.9.2 - XSS
There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2.
CVSS 6.1