| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the common.download_jsp servlet, which listens on TCP port 8081 by default. When parsing the filename parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of Administrator. Was ZDI-CAN-5103. |
| This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.699 build 1001. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp.restore.download_005fdo_jsp servlet, which listens on TCP port 8081 by default. When parsing the filename parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of Administrator. Was ZDI-CAN-5100. |
| A vulnerability in Mitel ST 14.2, release GA28 and earlier, could allow an attacker to use the API function to enumerate through user-ids which could be used to identify valid user ids and associated user names. |
| LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue |
| aegir is a module to help automate JavaScript project management. Version 12.0.0 through and including 12.0.7 bundled and published to npm the user (that performed a aegir-release) GitHub token. |
| The cofee-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. |
| The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. |
| The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. |
| The coffe-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. |
| The cofeescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. |
| The module botbait is a tool to be used to track bot and automated tools usage with-in the npm ecosystem. botbait is known to record and track user information. The module tracks the following information. Source IP process.versions process.platform How the module was invoked (test, require, pre-install) |
| cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| noderequest was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
