| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty. |
| This affects the package image-tiler before 2.0.2. |
| This affects all versions of package decal. The vulnerability is in the extend function. |
| This affects all versions of package decal. The vulnerability is in the set function. |
| This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array. |
| This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath) |
| The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js. |
| This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function. |
| This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js. |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function. |
| This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. |
| All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. |
| This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC: |
| This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js |
| This affects all versions of package heroku-env. The injection point is located in lib/get.js which is required by index.js. |
| This affects all versions of package google-cloudstorage-commands. |
| This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js. |
| This affects all versions of package gitblame. The injection point is located in line 15 in lib/gitblame.js. |
| This affects all versions of package node-latex-pdf. |
| All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){}) |
