February 2020

CVE-2019-10803

push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable “opt.branch” is not validated before being provided to the “git” command within “index.js#L139”. This could be abused by an attacker to inject arbitrary commands.
Source: NIST
CVE-2019-10803

CVE-2020-9449

An insecure random number generation vulnerability in BlaB! AX, BlaB! AX Pro, BlaB! WS (client), and BlaB! WS Pro (client) version 19.11 allows an attacker (with a guest or user session cookie) to escalate privileges by retrieving the cookie salt value and creating a valid session cookie for an arbitrary user or admin.
Source: NIST
CVE-2020-9449

CVE-2018-21035

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
Source: NIST
CVE-2018-21035

CVE-2019-10802

giting version prior to 0.0.8 allows execution of arbritary commands. The first argument “repo” of function “pull()” is executed by the package without any validation.
Source: NIST
CVE-2019-10802

CVE-2019-10801

enpeem through 2.2.0 allows execution of arbitrary commands. The “options.dir” argument is provided to the “exec” function without any sanitization.
Source: NIST
CVE-2019-10801

CVE-2020-8132

Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.
Source: NIST
CVE-2020-8132

CVE-2020-8127

Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.
Source: NIST
CVE-2020-8127

CVE-2019-19943

The HTTP service in quickweb.exe in Pablo Quick ‘n Easy Web Server 3.3.8 allows Remote Unauthenticated Heap Memory Corruption via a large host or domain parameter. It may be possible to achieve remote code execution because of a double free.
Source: NIST
CVE-2019-19943