Show filters
11 Total Results
Displaying 1-10 of 11
Sort by:
Attacker Value
Unknown
CVE-2020-28969
Disclosure Date: October 22, 2021 (last updated February 23, 2025)
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
0
Attacker Value
Unknown
CVE-2021-32053
Disclosure Date: May 10, 2021 (last updated February 22, 2025)
JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are many simultaneous history requests.
0
Attacker Value
Unknown
CVE-2020-4038
Disclosure Date: June 08, 2020 (last updated February 21, 2025)
GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.
0
Attacker Value
Unknown
CVE-2019-12741
Disclosure Date: June 05, 2019 (last updated November 27, 2024)
XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)
0
Attacker Value
Unknown
CVE-2017-16013
Disclosure Date: June 04, 2018 (last updated November 26, 2024)
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.
0
Attacker Value
Unknown
CVE-2015-9236
Disclosure Date: May 31, 2018 (last updated November 26, 2024)
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.
0
Attacker Value
Unknown
CVE-2015-9241
Disclosure Date: May 29, 2018 (last updated November 26, 2024)
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes).
0
Attacker Value
Unknown
CVE-2016-10525
Disclosure Date: May 29, 2018 (last updated November 26, 2024)
When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication.
0
Attacker Value
Unknown
CVE-2015-9243
Disclosure Date: May 29, 2018 (last updated November 26, 2024)
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`).
0
Attacker Value
Unknown
CVE-2014-7193
Disclosure Date: December 25, 2014 (last updated October 05, 2023)
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site that is visited by an application consumer.
0