Show filters
331 Total Results
Displaying 121-130 of 331
Sort by:
Attacker Value
Unknown
CVE-2021-4044
Disclosure Date: December 14, 2021 (last updated February 23, 2025)
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug …
0
Attacker Value
Unknown
CVE-2021-43788
Disclosure Date: November 29, 2021 (last updated February 23, 2025)
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.
0
Attacker Value
Unknown
CVE-2021-43787
Disclosure Date: November 29, 2021 (last updated February 23, 2025)
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.
0
Attacker Value
Unknown
CVE-2021-43786
Disclosure Date: November 29, 2021 (last updated February 23, 2025)
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.
0
Attacker Value
Unknown
CVE-2021-3672
Disclosure Date: November 23, 2021 (last updated February 23, 2025)
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
0
Attacker Value
Unknown
CVE-2021-22930
Disclosure Date: October 07, 2021 (last updated February 23, 2025)
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
0
Attacker Value
Unknown
CVE-2021-22931
Disclosure Date: August 16, 2021 (last updated February 23, 2025)
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
0
Attacker Value
Unknown
CVE-2021-22939
Disclosure Date: August 16, 2021 (last updated February 23, 2025)
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
0
Attacker Value
Unknown
CVE-2021-22940
Disclosure Date: August 16, 2021 (last updated February 23, 2025)
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
0
Attacker Value
Unknown
CVE-2021-22921
Disclosure Date: July 12, 2021 (last updated February 23, 2025)
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
0