push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable “opt.branch” is not validated before being provided to the “git” command within “index.js#L139”. This could be abused by an attacker to inject arbitrary commands.
Source: NIST
CVE-2019-10803
February 2020
CVE-2020-9449
An insecure random number generation vulnerability in BlaB! AX, BlaB! AX Pro, BlaB! WS (client), and BlaB! WS Pro (client) version 19.11 allows an attacker (with a guest or user session cookie) to escalate privileges by retrieving the cookie salt value and creating a valid session cookie for an arbitrary user or admin.
Source: NIST
CVE-2020-9449
CVE-2018-21035
In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
Source: NIST
CVE-2018-21035
CVE-2019-10802
giting version prior to 0.0.8 allows execution of arbritary commands. The first argument “repo” of function “pull()” is executed by the package without any validation.
Source: NIST
CVE-2019-10802
CVE-2019-10801
enpeem through 2.2.0 allows execution of arbitrary commands. The “options.dir” argument is provided to the “exec” function without any sanitization.
Source: NIST
CVE-2019-10801
CVE-2019-15609
The kill-port-process package version < 2.2.0 is vulnerable to a Command Injection vulnerability.
Source: NIST
CVE-2019-15609
CVE-2020-8132
Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.
Source: NIST
CVE-2020-8132
CVE-2020-8127
Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.
Source: NIST
CVE-2020-8127
CVE-2019-19943
The HTTP service in quickweb.exe in Pablo Quick ‘n Easy Web Server 3.3.8 allows Remote Unauthenticated Heap Memory Corruption via a large host or domain parameter. It may be possible to achieve remote code execution because of a double free.
Source: NIST
CVE-2019-19943
CVE-2020-9466
The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV Injection.
Source: NIST
CVE-2020-9466