Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
940 vulnerabilities by HackerOne
CVE-2017-0938 (GCVE-0-2017-0938)
Vulnerability from cvelistv5 – Published: 2019-02-12 22:00 – Updated: 2024-09-16 18:49
VLAI
Summary
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://community.ubnt.com/t5/airMAX-Updates-Blog… | x_refsource_MISC |
| https://hackerone.com/reports/221625 | x_refsource_MISC |
| https://community.ubnt.com/t5/airMAX-Updates-Blog… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | airMAX, EdgeMAX |
Affected:
airMAX < 8.3.2, airMAX < 6.0.7, EdgeRouter < v1.9.7
|
Date Public
2019-02-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/221625"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "airMAX, EdgeMAX",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
}
]
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-12T21:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/221625"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2019-02-06T00:00:00",
"ID": "CVE-2017-0938",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "airMAX, EdgeMAX",
"version": {
"version_data": [
{
"version_value": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522",
"refsource": "MISC",
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
},
{
"name": "https://hackerone.com/reports/221625",
"refsource": "MISC",
"url": "https://hackerone.com/reports/221625"
},
{
"name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215",
"refsource": "MISC",
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0938",
"datePublished": "2019-02-12T22:00:00.000Z",
"dateReserved": "2016-11-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:49:35.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16483 (GCVE-0-2018-16483)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
Severity
No CVSS data available.
CWE
- Privilege Escalation (CAPEC-233)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/343626 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | express-cart |
Affected:
>=1.1.6
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/343626"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "express-cart",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003e=1.1.6"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege Escalation (CAPEC-233)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/343626"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16483",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "express-cart",
"version": {
"version_data": [
{
"version_value": "\u003e=1.1.6"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege Escalation (CAPEC-233)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/343626",
"refsource": "MISC",
"url": "https://hackerone.com/reports/343626"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16483",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16480 (GCVE-0-2018-16480)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A XSS vulnerability was found in module public <0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/329950 | x_refsource_MISC |
| https://www.npmjs.com/package/public | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/329950"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/public"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "public",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c0.1.4"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/329950"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/public"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16480",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "public",
"version": {
"version_data": [
{
"version_value": "\u003c0.1.4"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/329950",
"refsource": "MISC",
"url": "https://hackerone.com/reports/329950"
},
{
"name": "https://www.npmjs.com/package/public",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/public"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16480",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16492 (GCVE-0-2018-16492)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/381185 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/381185"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "extend",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.2, ~\u003c3.0.2"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/381185"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16492",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "extend",
"version": {
"version_data": [
{
"version_value": "\u003c 2.0.2, ~\u003c3.0.2"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/381185",
"refsource": "MISC",
"url": "https://hackerone.com/reports/381185"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16492",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16482 (GCVE-0-2018-16482)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A server directory traversal vulnerability was found on node module mcstatic <=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/330285 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/330285"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mcstatic",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=0.0.20"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/330285"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16482",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mcstatic",
"version": {
"version_data": [
{
"version_value": "\u003c=0.0.20"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/330285",
"refsource": "MISC",
"url": "https://hackerone.com/reports/330285"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16482",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16484 (GCVE-0-2018-16484)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/319794 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/319794"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "m-server",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.2"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/319794"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "m-server",
"version": {
"version_data": [
{
"version_value": "\u003c1.4.2"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/319794",
"refsource": "MISC",
"url": "https://hackerone.com/reports/319794"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16484",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16490 (GCVE-0-2018-16490)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/390860 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/390860"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mpath",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c0.5.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/390860"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16490",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mpath",
"version": {
"version_data": [
{
"version_value": "\u003c0.5.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/390860",
"refsource": "MISC",
"url": "https://hackerone.com/reports/390860"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16490",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16487 (GCVE-0-2018-16487)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/380873 | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2019091… | x_refsource_CONFIRM |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/380873"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lodash",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c4.7.11"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-19T16:06:08.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/380873"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16487",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash",
"version": {
"version_data": [
{
"version_value": "\u003c4.7.11"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/380873",
"refsource": "MISC",
"url": "https://hackerone.com/reports/380873"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190919-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16487",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16491 (GCVE-0-2018-16491)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/430831 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | node.extend |
Affected:
<1.1.7, ~<2.0.1
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/430831"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node.extend",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.1.7, ~\u003c2.0.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/430831"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16491",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "node.extend",
"version": {
"version_data": [
{
"version_value": "\u003c1.1.7, ~\u003c2.0.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/430831",
"refsource": "MISC",
"url": "https://hackerone.com/reports/430831"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16491",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16489 (GCVE-0-2018-16489)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/430291 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | just-extend |
Affected:
<4.0.0
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/430291"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "just-extend",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c4.0.0"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/430291"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "just-extend",
"version": {
"version_data": [
{
"version_value": "\u003c4.0.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/430291",
"refsource": "MISC",
"url": "https://hackerone.com/reports/430291"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16489",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16485 (GCVE-0-2018-16485)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/319795 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/319795"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "m-server",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/319795"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16485",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "m-server",
"version": {
"version_data": [
{
"version_value": "\u003c1.4.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/319795",
"refsource": "MISC",
"url": "https://hackerone.com/reports/319795"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16485",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16486 (GCVE-0-2018-16486)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/380878 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | defaults-deep |
Affected:
<=0.2.4
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/380878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "defaults-deep",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=0.2.4"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/380878"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16486",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "defaults-deep",
"version": {
"version_data": [
{
"version_value": "\u003c=0.2.4"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/380878",
"refsource": "MISC",
"url": "https://hackerone.com/reports/380878"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16486",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16479 (GCVE-0-2018-16479)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
Path traversal vulnerability in http-live-simulator <1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/411405 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | http-live-simulator |
Affected:
<1.0.7
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/411405"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http-live-simulator",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.0.7"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/411405"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16479",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http-live-simulator",
"version": {
"version_data": [
{
"version_value": "\u003c1.0.7"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/411405",
"refsource": "MISC",
"url": "https://hackerone.com/reports/411405"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16479",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16493 (GCVE-0-2018-16493)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL.
Severity
No CVSS data available.
CWE
- CWE-548 - Information Exposure Through Directory Listing (CWE-548)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/432600 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | static-resource-server |
Affected:
1.7.2
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/432600"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "static-resource-server",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "1.7.2"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Information Exposure Through Directory Listing (CWE-548)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/432600"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16493",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "static-resource-server",
"version": {
"version_data": [
{
"version_value": "1.7.2"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure Through Directory Listing (CWE-548)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/432600",
"refsource": "MISC",
"url": "https://hackerone.com/reports/432600"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16493",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16481 (GCVE-0-2018-16481)
Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript code to be executed in the user's browser due to the absence of sanitization of the paths before rendering.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/330356 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | html-pages |
Affected:
<=2.1.1
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/330356"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "html-pages",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=2.1.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/330356"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16481",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "html-pages",
"version": {
"version_data": [
{
"version_value": "\u003c=2.1.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/330356",
"refsource": "MISC",
"url": "https://hackerone.com/reports/330356"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16481",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0938 (GCVE-0-2017-0938)
Vulnerability from nvd – Published: 2019-02-12 22:00 – Updated: 2024-09-16 18:49
VLAI
Summary
Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://community.ubnt.com/t5/airMAX-Updates-Blog… | x_refsource_MISC |
| https://hackerone.com/reports/221625 | x_refsource_MISC |
| https://community.ubnt.com/t5/airMAX-Updates-Blog… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | airMAX, EdgeMAX |
Affected:
airMAX < 8.3.2, airMAX < 6.0.7, EdgeRouter < v1.9.7
|
Date Public
2019-02-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/221625"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "airMAX, EdgeMAX",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
}
]
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-12T21:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/221625"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2019-02-06T00:00:00",
"ID": "CVE-2017-0938",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "airMAX, EdgeMAX",
"version": {
"version_data": [
{
"version_value": "airMAX \u003c 8.3.2, airMAX \u003c 6.0.7, EdgeRouter \u003c v1.9.7"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Denial of Service attack in airMAX \u003c 8.3.2 , airMAX \u003c 6.0.7 and EdgeMAX \u003c 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522",
"refsource": "MISC",
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v6-0-7-Has-Been-Released/ba-p/2056522"
},
{
"name": "https://hackerone.com/reports/221625",
"refsource": "MISC",
"url": "https://hackerone.com/reports/221625"
},
{
"name": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215",
"refsource": "MISC",
"url": "https://community.ubnt.com/t5/airMAX-Updates-Blog/airOS-v8-3-2-Has-Been-Released/ba-p/2049215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0938",
"datePublished": "2019-02-12T22:00:00.000Z",
"dateReserved": "2016-11-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:49:35.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16483 (GCVE-0-2018-16483)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
Severity
No CVSS data available.
CWE
- Privilege Escalation (CAPEC-233)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/343626 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | express-cart |
Affected:
>=1.1.6
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/343626"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "express-cart",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003e=1.1.6"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege Escalation (CAPEC-233)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/343626"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16483",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "express-cart",
"version": {
"version_data": [
{
"version_value": "\u003e=1.1.6"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A deficiency in the access control in module express-cart \u003c=1.1.5 allows unprivileged users to add new users to the application as administrators."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege Escalation (CAPEC-233)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/343626",
"refsource": "MISC",
"url": "https://hackerone.com/reports/343626"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16483",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16480 (GCVE-0-2018-16480)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A XSS vulnerability was found in module public <0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/329950 | x_refsource_MISC |
| https://www.npmjs.com/package/public | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.712Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/329950"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/public"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "public",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c0.1.4"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/329950"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/public"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16480",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "public",
"version": {
"version_data": [
{
"version_value": "\u003c0.1.4"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XSS vulnerability was found in module public \u003c0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/329950",
"refsource": "MISC",
"url": "https://hackerone.com/reports/329950"
},
{
"name": "https://www.npmjs.com/package/public",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/public"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16480",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16492 (GCVE-0-2018-16492)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/381185 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/381185"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "extend",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.2, ~\u003c3.0.2"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/381185"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16492",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "extend",
"version": {
"version_data": [
{
"version_value": "\u003c 2.0.2, ~\u003c3.0.2"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/381185",
"refsource": "MISC",
"url": "https://hackerone.com/reports/381185"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16492",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16482 (GCVE-0-2018-16482)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A server directory traversal vulnerability was found on node module mcstatic <=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/330285 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/330285"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mcstatic",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=0.0.20"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/330285"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16482",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mcstatic",
"version": {
"version_data": [
{
"version_value": "\u003c=0.0.20"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server directory traversal vulnerability was found on node module mcstatic \u003c=0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/330285",
"refsource": "MISC",
"url": "https://hackerone.com/reports/330285"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16482",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16484 (GCVE-0-2018-16484)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Stored (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/319794 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/319794"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "m-server",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.2"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Stored (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/319794"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "m-server",
"version": {
"version_data": [
{
"version_value": "\u003c1.4.2"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XSS vulnerability was found in module m-server \u003c1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder names."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/319794",
"refsource": "MISC",
"url": "https://hackerone.com/reports/319794"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16484",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16490 (GCVE-0-2018-16490)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/390860 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/390860"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mpath",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c0.5.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/390860"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16490",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mpath",
"version": {
"version_data": [
{
"version_value": "\u003c0.5.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in module mpath \u003c0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/390860",
"refsource": "MISC",
"url": "https://hackerone.com/reports/390860"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16490",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16487 (GCVE-0-2018-16487)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/380873 | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2019091… | x_refsource_CONFIRM |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/380873"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lodash",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c4.7.11"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-19T16:06:08.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/380873"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16487",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash",
"version": {
"version_data": [
{
"version_value": "\u003c4.7.11"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/380873",
"refsource": "MISC",
"url": "https://hackerone.com/reports/380873"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190919-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16487",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16491 (GCVE-0-2018-16491)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/430831 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | node.extend |
Affected:
<1.1.7, ~<2.0.1
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/430831"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node.extend",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.1.7, ~\u003c2.0.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/430831"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16491",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "node.extend",
"version": {
"version_data": [
{
"version_value": "\u003c1.1.7, ~\u003c2.0.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in node.extend \u003c1.1.7, ~\u003c2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/430831",
"refsource": "MISC",
"url": "https://hackerone.com/reports/430831"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16491",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16489 (GCVE-0-2018-16489)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/430291 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | just-extend |
Affected:
<4.0.0
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/430291"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "just-extend",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c4.0.0"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/430291"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "just-extend",
"version": {
"version_data": [
{
"version_value": "\u003c4.0.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in just-extend \u003c4.0.0 that allows attack to inject properties onto Object.prototype through its functions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/430291",
"refsource": "MISC",
"url": "https://hackerone.com/reports/430291"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16489",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16485 (GCVE-0-2018-16485)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/319795 | x_refsource_MISC |
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/319795"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "m-server",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/319795"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16485",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "m-server",
"version": {
"version_data": [
{
"version_value": "\u003c1.4.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal vulnerability in module m-server \u003c1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/319795",
"refsource": "MISC",
"url": "https://hackerone.com/reports/319795"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16485",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16486 (GCVE-0-2018-16486)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/380878 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | defaults-deep |
Affected:
<=0.2.4
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/380878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "defaults-deep",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=0.2.4"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/380878"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16486",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "defaults-deep",
"version": {
"version_data": [
{
"version_value": "\u003c=0.2.4"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A prototype pollution vulnerability was found in defaults-deep \u003c=0.2.4 that would allow a malicious user to inject properties onto Object.prototype."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/380878",
"refsource": "MISC",
"url": "https://hackerone.com/reports/380878"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16486",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16479 (GCVE-0-2018-16479)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
Path traversal vulnerability in http-live-simulator <1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/411405 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | http-live-simulator |
Affected:
<1.0.7
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/411405"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http-live-simulator",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.0.7"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/411405"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16479",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http-live-simulator",
"version": {
"version_data": [
{
"version_value": "\u003c1.0.7"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path traversal vulnerability in http-live-simulator \u003c1.0.7 causes unauthorized access to arbitrary files on disk by appending extra slashes after the URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/411405",
"refsource": "MISC",
"url": "https://hackerone.com/reports/411405"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16479",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16493 (GCVE-0-2018-16493)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL.
Severity
No CVSS data available.
CWE
- CWE-548 - Information Exposure Through Directory Listing (CWE-548)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/432600 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | static-resource-server |
Affected:
1.7.2
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/432600"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "static-resource-server",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "1.7.2"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Information Exposure Through Directory Listing (CWE-548)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/432600"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16493",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "static-resource-server",
"version": {
"version_data": [
{
"version_value": "1.7.2"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure Through Directory Listing (CWE-548)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/432600",
"refsource": "MISC",
"url": "https://hackerone.com/reports/432600"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16493",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16481 (GCVE-0-2018-16481)
Vulnerability from nvd – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript code to be executed in the user's browser due to the absence of sanitization of the paths before rendering.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/330356 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | html-pages |
Affected:
<=2.1.1
|
Date Public
2019-02-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/330356"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "html-pages",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=2.1.1"
}
]
}
],
"datePublic": "2019-02-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-01T17:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/330356"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16481",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "html-pages",
"version": {
"version_data": [
{
"version_value": "\u003c=2.1.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XSS vulnerability was found in html-page \u003c=2.1.1 that allows malicious Javascript code to be executed in the user\u0027s browser due to the absence of sanitization of the paths before rendering."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/330356",
"refsource": "MISC",
"url": "https://hackerone.com/reports/330356"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-16481",
"datePublished": "2019-02-01T18:00:00.000Z",
"dateReserved": "2018-09-04T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}