Security Vulnerabilities - CVEs Published In June 2018
`fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-04
`nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-04
`sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-04
Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-06-04
sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-06-04
Restify is a framework for building REST APIs. Restify >=2.0.0 <=4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-06-04
GitBook is a command line tool (and Node.js library) for building beautiful books using GitHub/Git and Markdown (or AsciiDoc). Stored Cross-Site-Scripting (XSS) is possible in GitBook before 3.2.2 by including code outside of backticks in any ebook. This code will be executed on the online reader.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-06-04
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.
CVSS Score
9.8
EPSS Score
0.008
Published
2018-06-04
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.
CVSS Score
6.5
EPSS Score
0.002
Published
2018-06-04
Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-06-04