Export limit exceeded: 80321 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (80321 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-23403 | 1 Ts-nodash Project | 1 Ts-nodash | 2024-11-21 | 7.3 High |
| All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. | ||||
| CVE-2021-23402 | 1 Record-like-deep-assign Project | 1 Record-like-deep-assign | 2024-11-21 | 7.3 High |
| All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | ||||
| CVE-2021-23399 | 1 Wincred Project | 1 Wincred | 2024-11-21 | 7.3 High |
| This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | ||||
| CVE-2021-23395 | 1 Nedb Project | 1 Nedb | 2024-11-21 | 7.3 High |
| This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. | ||||
| CVE-2021-23394 | 1 Std42 | 1 Elfinder | 2024-11-21 | 8.1 High |
| The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP. | ||||
| CVE-2021-23391 | 1 Calipso Project | 1 Calipso | 2024-11-21 | 7.3 High |
| This affects all versions of package calipso. It is possible for a malicious module to overwrite files on an arbitrary file system through the module install functionality. | ||||
| CVE-2021-23386 | 1 Dns-packet Project | 1 Dns-packet | 2024-11-21 | 7.7 High |
| This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names. | ||||
| CVE-2021-23381 | 1 Killing Project | 1 Killing | 2024-11-21 | 7.3 High |
| This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | ||||
| CVE-2021-23379 | 1 Portkiller Project | 1 Portkiller | 2024-11-21 | 7.3 High |
| This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | ||||
| CVE-2021-23375 | 1 Psnode Project | 1 Psnode | 2024-11-21 | 7.3 High |
| This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | ||||
| CVE-2021-23374 | 1 Ps-visitor Project | 1 Ps-visitor | 2024-11-21 | 7.3 High |
| This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | ||||
| CVE-2021-23373 | 1 Set-deep-prop Project | 1 Set-deep-prop | 2024-11-21 | 7.5 High |
| All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. | ||||
| CVE-2021-23371 | 1 Chrono-node Project | 1 Chrono-node | 2024-11-21 | 7.5 High |
| This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces. | ||||
| CVE-2021-23370 | 1 Swiperjs | 1 Swiper | 2024-11-21 | 7.5 High |
| This affects the package swiper before 6.5.1. | ||||
| CVE-2021-23360 | 1 Killport Project | 1 Killport | 2024-11-21 | 7.5 High |
| This affects the package killport before 1.0.2. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success. | ||||
| CVE-2021-23359 | 1 Port-killer Project | 1 Port-killer | 2024-11-21 | 7.5 High |
| This affects all versions of package port-killer. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success. | ||||
| CVE-2021-23352 | 1 Madge Project | 1 Madge | 2024-11-21 | 8.6 High |
| This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function. | ||||
| CVE-2021-23342 | 1 Docsifyjs | 1 Docsify | 2024-11-21 | 8.6 High |
| This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more “////” characters | ||||
| CVE-2021-23341 | 1 Prismjs | 1 Prism | 2024-11-21 | 7.5 High |
| The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. | ||||
| CVE-2021-23340 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 7.1 High |
| This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability. | ||||