Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    940 vulnerabilities by HackerOne

    CVE-2017-0938 (GCVE-0-2017-0938)

    Vulnerability from cvelistv5 – Published: 2019-02-12 22:00 – Updated: 2024-09-16 18:49
    VLAI
    Summary
    Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    Impacted products
    Vendor Product Version
    HackerOne airMAX, EdgeMAX Affected: airMAX < 8.3.2, airMAX < 6.0.7, EdgeRouter < v1.9.7
    Create a notification for this product.
    Date Public
    2019-02-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T13:25:17.343Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/221625"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "airMAX, EdgeMAX",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
                }
              ]
            }
          ],
          "datePublic": "2019-02-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-12T21:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/221625"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "DATE_PUBLIC": "2019-02-06T00:00:00",
              "ID": "CVE-2017-0938",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "airMAX, EdgeMAX",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522",
                  "refsource": "MISC",
                  "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
                },
                {
                  "name": "https://hackerone.com/reports/221625",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/221625"
                },
                {
                  "name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215",
                  "refsource": "MISC",
                  "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2017-0938",
        "datePublished": "2019-02-12T22:00:00.000Z",
        "dateReserved": "2016-11-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:49:35.479Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16483 (GCVE-0-2018-16483)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
    Severity
    No CVSS data available.
    CWE
    • Privilege Escalation (CAPEC-233)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/343626 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne express-cart Affected: >=1.1.6
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.838Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/343626"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "express-cart",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e=1.1.6"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege Escalation (CAPEC-233)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/343626"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16483",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "express-cart",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e=1.1.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege Escalation (CAPEC-233)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/343626",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/343626"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16483",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16480 (GCVE-0-2018-16480)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A XSS vulnerability was found in module public <0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    HackerOne public Affected: <0.1.4
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.712Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/329950"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/public"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "public",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c0.1.4"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/329950"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/public"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16480",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "public",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c0.1.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/329950",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/329950"
                },
                {
                  "name": "https://www.npmjs.com/package/public",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/public"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16480",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16492 (GCVE-0-2018-16492)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/381185 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne extend Affected: < 2.0.2, ~<3.0.2
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.840Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/381185"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "extend",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.2, ~\u003c3.0.2"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/381185"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16492",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "extend",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.0.2, ~\u003c3.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/381185",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/381185"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16492",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.840Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16482 (GCVE-0-2018-16482)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A server directory traversal vulnerability was found on node module mcstatic <=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Path Traversal (CWE-22)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/330285 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne mcstatic Affected: <=0.0.20
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.435Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/330285"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mcstatic",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=0.0.20"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/330285"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16482",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "mcstatic",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c=0.0.20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Path Traversal (CWE-22)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/330285",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/330285"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16482",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16484 (GCVE-0-2018-16484)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/319794 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne m-server Affected: <1.4.2
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.703Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/319794"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "m-server",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.2"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/319794"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16484",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "m-server",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/319794",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/319794"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16484",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.703Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16490 (GCVE-0-2018-16490)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/390860 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne mpath Affected: <0.5.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.842Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/390860"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mpath",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c0.5.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/390860"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16490",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "mpath",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c0.5.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/390860",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/390860"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16490",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16487 (GCVE-0-2018-16487)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    Impacted products
    Vendor Product Version
    HackerOne lodash Affected: <4.7.11
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.702Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/380873"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "lodash",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c4.7.11"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-09-19T16:06:08.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/380873"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16487",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "lodash",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c4.7.11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/380873",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/380873"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190919-0004/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16487",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16491 (GCVE-0-2018-16491)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/430831 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne node.extend Affected: <1.1.7, ~<2.0.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.711Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/430831"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node.extend",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.1.7, ~\u003c2.0.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/430831"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16491",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node.extend",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.1.7, ~\u003c2.0.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/430831",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/430831"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16491",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.711Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16489 (GCVE-0-2018-16489)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/430291 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne just-extend Affected: <4.0.0
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.562Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/430291"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "just-extend",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c4.0.0"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/430291"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16489",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "just-extend",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c4.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/430291",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/430291"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16489",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16485 (GCVE-0-2018-16485)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Path Traversal (CWE-22)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/319795 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne m-server Affected: <1.4.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/319795"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "m-server",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/319795"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16485",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "m-server",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.4.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Path Traversal (CWE-22)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/319795",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/319795"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16485",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.559Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16486 (GCVE-0-2018-16486)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/380878 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne defaults-deep Affected: <=0.2.4
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.798Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/380878"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "defaults-deep",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=0.2.4"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/380878"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16486",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "defaults-deep",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c=0.2.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/380878",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/380878"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16486",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16479 (GCVE-0-2018-16479)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    Path traversal vulnerability in http-live-simulator <1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Path Traversal (CWE-22)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/411405 x_refsource_MISC
    Impacted products
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.597Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/411405"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "http-live-simulator",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.0.7"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/411405"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16479",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "http-live-simulator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.0.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Path Traversal (CWE-22)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/411405",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/411405"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16479",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.597Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16493 (GCVE-0-2018-16493)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL.
    Severity
    No CVSS data available.
    CWE
    • CWE-548 - Information Exposure Through Directory Listing (CWE-548)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/432600 x_refsource_MISC
    Impacted products
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.903Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/432600"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "static-resource-server",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.7.2"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-548",
                  "description": "Information Exposure Through Directory Listing (CWE-548)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/432600"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16493",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "static-resource-server",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.7.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Exposure Through Directory Listing (CWE-548)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/432600",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/432600"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16493",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.903Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16481 (GCVE-0-2018-16481)

    Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript code to be executed in the user's browser due to the absence of sanitization of the paths before rendering.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/330356 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne html-pages Affected: <=2.1.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.672Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/330356"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "html-pages",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=2.1.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/330356"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16481",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "html-pages",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c=2.1.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/330356",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/330356"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16481",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-0938 (GCVE-0-2017-0938)

    Vulnerability from nvd – Published: 2019-02-12 22:00 – Updated: 2024-09-16 18:49
    VLAI
    Summary
    Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    Impacted products
    Vendor Product Version
    HackerOne airMAX, EdgeMAX Affected: airMAX < 8.3.2, airMAX < 6.0.7, EdgeRouter < v1.9.7
    Create a notification for this product.
    Date Public
    2019-02-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T13:25:17.343Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/221625"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "airMAX, EdgeMAX",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
                }
              ]
            }
          ],
          "datePublic": "2019-02-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-12T21:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/221625"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "DATE_PUBLIC": "2019-02-06T00:00:00",
              "ID": "CVE-2017-0938",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "airMAX, EdgeMAX",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522",
                  "refsource": "MISC",
                  "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
                },
                {
                  "name": "https://hackerone.com/reports/221625",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/221625"
                },
                {
                  "name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215",
                  "refsource": "MISC",
                  "url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2017-0938",
        "datePublished": "2019-02-12T22:00:00.000Z",
        "dateReserved": "2016-11-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:49:35.479Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16483 (GCVE-0-2018-16483)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
    Severity
    No CVSS data available.
    CWE
    • Privilege Escalation (CAPEC-233)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/343626 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne express-cart Affected: >=1.1.6
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.838Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/343626"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "express-cart",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e=1.1.6"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege Escalation (CAPEC-233)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/343626"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16483",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "express-cart",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e=1.1.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege Escalation (CAPEC-233)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/343626",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/343626"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16483",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16480 (GCVE-0-2018-16480)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A XSS vulnerability was found in module public <0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    HackerOne public Affected: <0.1.4
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.712Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/329950"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/public"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "public",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c0.1.4"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/329950"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.npmjs.com/package/public"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16480",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "public",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c0.1.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/329950",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/329950"
                },
                {
                  "name": "https://www.npmjs.com/package/public",
                  "refsource": "MISC",
                  "url": "https://www.npmjs.com/package/public"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16480",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16492 (GCVE-0-2018-16492)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/381185 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne extend Affected: < 2.0.2, ~<3.0.2
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.840Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/381185"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "extend",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.2, ~\u003c3.0.2"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/381185"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16492",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "extend",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.0.2, ~\u003c3.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/381185",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/381185"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16492",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.840Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16482 (GCVE-0-2018-16482)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A server directory traversal vulnerability was found on node module mcstatic <=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Path Traversal (CWE-22)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/330285 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne mcstatic Affected: <=0.0.20
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.435Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/330285"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mcstatic",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=0.0.20"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/330285"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16482",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "mcstatic",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c=0.0.20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Path Traversal (CWE-22)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/330285",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/330285"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16482",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16484 (GCVE-0-2018-16484)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/319794 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne m-server Affected: <1.4.2
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.703Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/319794"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "m-server",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.2"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/319794"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16484",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "m-server",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/319794",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/319794"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16484",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.703Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16490 (GCVE-0-2018-16490)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/390860 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne mpath Affected: <0.5.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.842Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/390860"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mpath",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c0.5.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/390860"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16490",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "mpath",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c0.5.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/390860",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/390860"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16490",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16487 (GCVE-0-2018-16487)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    Impacted products
    Vendor Product Version
    HackerOne lodash Affected: <4.7.11
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.702Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/380873"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "lodash",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c4.7.11"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-09-19T16:06:08.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/380873"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16487",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "lodash",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c4.7.11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/380873",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/380873"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190919-0004/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16487",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16491 (GCVE-0-2018-16491)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/430831 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne node.extend Affected: <1.1.7, ~<2.0.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.711Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/430831"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "node.extend",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.1.7, ~\u003c2.0.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/430831"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16491",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "node.extend",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.1.7, ~\u003c2.0.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/430831",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/430831"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16491",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.711Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16489 (GCVE-0-2018-16489)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/430291 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne just-extend Affected: <4.0.0
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.562Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/430291"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "just-extend",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c4.0.0"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/430291"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16489",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "just-extend",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c4.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/430291",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/430291"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16489",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16485 (GCVE-0-2018-16485)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Path Traversal (CWE-22)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/319795 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne m-server Affected: <1.4.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/319795"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "m-server",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/319795"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16485",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "m-server",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.4.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Path Traversal (CWE-22)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/319795",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/319795"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16485",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.559Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16486 (GCVE-0-2018-16486)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Denial of Service (CWE-400)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/380878 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne defaults-deep Affected: <=0.2.4
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.798Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/380878"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "defaults-deep",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=0.2.4"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "Denial of Service (CWE-400)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/380878"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16486",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "defaults-deep",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c=0.2.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service (CWE-400)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/380878",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/380878"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16486",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16479 (GCVE-0-2018-16479)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    Path traversal vulnerability in http-live-simulator <1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Path Traversal (CWE-22)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/411405 x_refsource_MISC
    Impacted products
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.597Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/411405"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "http-live-simulator",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.0.7"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal (CWE-22)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/411405"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16479",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "http-live-simulator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c1.0.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Path Traversal (CWE-22)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/411405",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/411405"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16479",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.597Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16493 (GCVE-0-2018-16493)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL.
    Severity
    No CVSS data available.
    CWE
    • CWE-548 - Information Exposure Through Directory Listing (CWE-548)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/432600 x_refsource_MISC
    Impacted products
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.903Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/432600"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "static-resource-server",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.7.2"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-548",
                  "description": "Information Exposure Through Directory Listing (CWE-548)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/432600"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16493",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "static-resource-server",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.7.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Exposure Through Directory Listing (CWE-548)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/432600",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/432600"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16493",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.903Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16481 (GCVE-0-2018-16481)

    Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
    VLAI
    Summary
    A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript code to be executed in the user's browser due to the absence of sanitization of the paths before rendering.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
    Assigner
    References
    URL Tags
    https://hackerone.com/reports/330356 x_refsource_MISC
    Impacted products
    Vendor Product Version
    HackerOne html-pages Affected: <=2.1.1
    Create a notification for this product.
    Date Public
    2019-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:24:32.672Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/330356"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "html-pages",
              "vendor": "HackerOne",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=2.1.1"
                }
              ]
            }
          ],
          "datePublic": "2019-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-01T17:57:01.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/330356"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2018-16481",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "html-pages",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c=2.1.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "HackerOne"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/330356",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/330356"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2018-16481",
        "datePublished": "2019-02-01T18:00:00.000Z",
        "dateReserved": "2018-09-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:24:32.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }