Filtered by vendor Nodejs Subscriptions
Total 175 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2014-9772 1 Nodejs 1 Node.js 2024-11-21 N/A
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
CVE-2014-9748 3 Libuv, Microsoft, Nodejs 4 Libuv, Windows Server 2003, Windows Xp and 1 more 2024-11-21 8.1 High
The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.
CVE-2014-7191 2 Nodejs, Redhat 2 Node.js, Rhel Software Collections 2024-11-21 N/A
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
CVE-2014-5256 2 Nodejs, Redhat 2 Nodejs, Rhel Software Collections 2024-11-21 N/A
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
CVE-2014-3744 1 Nodejs 1 Node.js 2024-11-21 N/A
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
CVE-2014-0224 9 Fedoraproject, Filezilla-project, Mariadb and 6 more 23 Fedora, Filezilla Server, Mariadb and 20 more 2024-11-21 7.4 High
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVE-2013-7454 1 Nodejs 1 Node.js 2024-11-21 N/A
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
CVE-2013-7453 1 Nodejs 1 Node.js 2024-11-21 N/A
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
CVE-2013-7452 1 Nodejs 1 Node.js 2024-11-21 N/A
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
CVE-2013-7451 1 Nodejs 1 Node.js 2024-11-21 N/A
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
CVE-2013-6668 4 Debian, Google, Nodejs and 1 more 7 Debian Linux, Chrome, V8 and 4 more 2024-11-21 N/A
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
CVE-2013-4450 2 Nodejs, Redhat 2 Nodejs, Rhel Software Collections 2024-11-21 N/A
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.
CVE-2013-2882 4 Debian, Google, Nodejs and 1 more 6 Debian Linux, Chrome, Node.js and 3 more 2024-11-21 N/A
Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
CVE-2012-2330 1 Nodejs 1 Nodejs 2024-11-21 N/A
The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string.
CVE-2023-46809 2 Nodejs, Redhat 3 Nodejs, Enterprise Linux, Rhel Eus 2024-09-09 7.4 High
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.