| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| This affects the package simpl-schema before 1.10.2. |
| This affects the package hellojs before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1). |
| This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack. |
| This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack. |
| All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement , safeLoad(). |
| All versions of package safetydance are vulnerable to Prototype Pollution via the set function. |
| The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function. |
| The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option. |
| All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column. |
| The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA. |
| This affects all versions <0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. |
| The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param. |
| The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML. |
| All versions of package gedi are vulnerable to Prototype Pollution via the set function. |
| All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function. |
| All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function. |
| All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function. |
| All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function. |
| All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function. |
| All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function. |
