Export limit exceeded: 367102 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (367102 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-7788 3 Debian, Ini Project, Redhat 5 Debian Linux, Ini, Enterprise Linux and 2 more 2024-11-21 7.3 High
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-7787 1 React-adal Project 1 React-adal 2024-11-21 8.2 High
This affects all versions of package react-adal. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and session keys are generated, the list of values is stored in the browser storage, separated by ||, with || always appended to the end of the list. Since || will always be the last 2 characters of the stored values, an empty string ("") will always be in the list of the valid values. Therefore, if an empty session parameter is provided in the callback URL, and a specially-crafted JWT token contains an nonce value of "" (empty string), then adal.js will consider the JWT token as authentic.
CVE-2020-7786 1 Macfromip Project 1 Macfromip 2024-11-21 9.8 Critical
This affects all versions of package macfromip. The injection point is located in line 66 in macfromip.js.
CVE-2020-7785 1 Node-ps Project 1 Node-ps 2024-11-21 9.8 Critical
This affects all versions of package node-ps. The injection point is located in line 72 in lib/index.js.
CVE-2020-7784 1 Ts-process-promises Project 1 Ts-process-promises 2024-11-21 9.8 Critical
This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC:
CVE-2020-7782 1 Spritesheet-js Project 1 Spritesheet-js 2024-11-21 9.8 Critical
This affects all versions of package spritesheet-js. It depends on a vulnerable package platform-command. The injection point is located in line 32 in lib/generator.js, which is triggered by main entry of the package.
CVE-2020-7781 1 Connection-tester Project 1 Connection-tester 2024-11-21 9.8 Critical
This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability:
CVE-2020-7780 1 Softwaremill 1 Akka-http-session 2024-11-21 6.3 Medium
This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.
CVE-2020-7779 1 Djvalidator Project 1 Djvalidator 2024-11-21 5.3 Medium
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.
CVE-2020-7778 1 Systeminformation 1 Systeminformation 2024-11-21 7.3 High
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-7777 1 Jsen Project 1 Jsen 2024-11-21 7.2 High
This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so I assume that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.
CVE-2020-7776 1 Phpoffice 1 Phpspreadsheet 2024-11-21 7.1 High
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
CVE-2020-7775 1 Freediskspace Project 1 Freediskproject 2024-11-21 9.8 Critical
This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js.
CVE-2020-7774 4 Oracle, Redhat, Siemens and 1 more 7 Graalvm, Enterprise Linux, Openshift and 4 more 2024-11-21 7.3 High
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
CVE-2020-7773 1 Markdown-it-highlightjs Project 1 Markdown-it-highlightjs 2024-11-21 6.5 Medium
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);
CVE-2020-7772 1 Doc-path Project 1 Doc-path 2024-11-21 7.5 High
This affects the package doc-path before 2.1.2.
CVE-2020-7771 1 Asciitable.js Project 1 Asciitable.js 2024-11-21 7.5 High
The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.
CVE-2020-7770 1 Json8 Project 1 Json8 2024-11-21 6.5 Medium
This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
CVE-2020-7769 1 Nodemailer 1 Nodemailer 2024-11-21 8.6 High
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
CVE-2020-7768 1 Grpc 1 Grpc 2024-11-21 7.5 High
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.