Export limit exceeded: 364021 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364021 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-7617 | 1 Ini-parser Project | 1 Ini-parser | 2024-11-21 | 4.4 Medium |
| ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload. | ||||
| CVE-2020-7616 | 1 Express-mock-middleware Project | 1 Express-mock-middleware | 2024-11-21 | 5.3 Medium |
| express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk. | ||||
| CVE-2020-7615 | 1 Fsa Project | 1 Fsa | 2024-11-21 | 7.8 High |
| fsa through 0.5.1 is vulnerable to Command Injection. The first argument of 'execGitCommand()', located within 'lib/rep.js#63' can be controlled by users without any sanitization to inject arbitrary commands. | ||||
| CVE-2020-7614 | 1 Npm-programmatic Project | 1 Npm-programmatic | 2024-11-21 | 9.8 Critical |
| npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly. | ||||
| CVE-2020-7613 | 1 Clamscan Project | 1 Clamscan | 2024-11-21 | 8.1 High |
| clamscan through 1.2.0 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the `_is_clamav_binary` function located within `Index.js`. It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute. This lowers the risk of this issue. | ||||
| CVE-2020-7611 | 1 Objectcomputing | 1 Micronaut | 2024-11-21 | 9.8 Critical |
| All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client. | ||||
| CVE-2020-7610 | 1 Mongodb | 1 Bson | 2024-11-21 | 9.8 Critical |
| All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. | ||||
| CVE-2020-7609 | 1 Node-rules Project | 1 Node-rules | 2024-11-21 | 9.8 Critical |
| node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function "fromJSON()" can be controlled by users without any sanitization. | ||||
| CVE-2020-7608 | 2 Redhat, Yargs | 5 Enterprise Linux, Openshift Container Storage, Quay and 2 more | 2024-11-21 | 5.3 Medium |
| yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. | ||||
| CVE-2020-7607 | 1 Gulp-styledocco Project | 1 Gulp-styledocco | 2024-11-21 | 9.8 Critical |
| gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization. | ||||
| CVE-2020-7606 | 1 Docker-compose-remote-api Project | 1 Docker-compose-remote-api | 2024-11-21 | 9.8 Critical |
| docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization. | ||||
| CVE-2020-7605 | 1 Gulp-tape Project | 1 Gulp-tape | 2024-11-21 | 9.8 Critical |
| gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of 'gulp-tape' options. | ||||
| CVE-2020-7604 | 1 Pulverizr Project | 1 Pulverizr | 2024-11-21 | 9.8 Critical |
| pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command. | ||||
| CVE-2020-7603 | 1 Closure-compiler-stream Project | 1 Closure-compiler-stream | 2024-11-21 | 9.8 Critical |
| closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization. | ||||
| CVE-2020-7602 | 1 Node-prompt-here Project | 1 Node-prompt-here | 2024-11-21 | 9.8 Critical |
| node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization. | ||||
| CVE-2020-7601 | 1 Gulp-scss-lint Project | 1 Gulp-scss-lint | 2024-11-21 | 9.8 Critical |
| gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options. | ||||
| CVE-2020-7600 | 1 Querymen Project | 1 Querymen | 2024-11-21 | 5.3 Medium |
| querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | ||||
| CVE-2020-7599 | 1 Gradle | 1 Plugin Publishing | 2024-11-21 | 6.5 Medium |
| All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own. | ||||
| CVE-2020-7598 | 3 Opensuse, Redhat, Substack | 9 Leap, Enterprise Linux, Openshift and 6 more | 2024-11-21 | 5.6 Medium |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | ||||
| CVE-2020-7597 | 1 Codecov | 1 Codecov | 2024-11-21 | 8.8 High |
| codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596. | ||||