Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-10103

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-03 Jul, 2019 | 00:00
Updated At-04 Aug, 2024 | 22:10
Rejected At-
Credits

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:03 Jul, 2019 | 00:00
Updated At:04 Aug, 2024 | 22:10
Rejected At:
▼CVE Numbering Authority (CNA)

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
N/A
https://security.netapp.com/advisory/ntap-20230818-0012/
N/A
Hyperlink: https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20230818-0012/
Resource: N/A
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
x_transferred
https://security.netapp.com/advisory/ntap-20230818-0012/
x_transferred
Hyperlink: https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Resource:
x_transferred
Hyperlink: https://security.netapp.com/advisory/ntap-20230818-0012/
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:03 Jul, 2019 | 20:15
Updated At:18 Aug, 2023 | 14:15

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.08.1HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.06.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.0
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CPE Matches
JetBrains s.r.o.
jetbrains
>>kotlin>>Versions before 1.3.30(exclusive)
cpe:2.3:a:jetbrains:kotlin:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-311Primarynvd@nist.gov
CWE ID: CWE-311
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/cve@mitre.org
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230818-0012/cve@mitre.org
N/A
Hyperlink: https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://security.netapp.com/advisory/ntap-20230818-0012/
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

149Records found
CVE-2022-24335
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.00% / 0.14%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 14:35
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2018-14878
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.00% / 0.15%
||
7 Day CHG~0.00%
Published-13 Aug, 2018 | 17:00
Updated-05 Aug, 2024 | 09:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-resharper_ultimatedotpeekn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-9872
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.00% / 0.04%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 18:40
Updated-04 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-intellij_idean/a
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-15039
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.49%
||
7 Day CHG~0.00%
Published-01 Oct, 2019 | 13:20
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-15040
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.00% / 0.05%
||
7 Day CHG~0.00%
Published-02 Oct, 2019 | 18:32
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-12851
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.00% / 0.05%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 18:18
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-10102
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.00% / 0.10%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 00:00
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-kotlinktorn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-10101
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.01% / 1.71%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 00:00
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-kotlinn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-25765
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.00% / 0.05%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:26
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-31912
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.01% / 0.30%
||
7 Day CHG~0.00%
Published-11 May, 2021 | 12:05
Updated-03 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-640
Weak Password Recovery Mechanism for Forgotten Password
CVE-2022-24342
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.08% / 22.89%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 14:35
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-6445
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.28% / 51.02%
||
7 Day CHG~0.00%
Published-05 Mar, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely.

Action-Not Available
Vendor-openelecn/a
Product-openelecn/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2017-5251
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-8.1||HIGH
EPSS-0.16% / 36.51%
||
7 Day CHG~0.00%
Published-22 Feb, 2018 | 16:00
Updated-05 Aug, 2024 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted.

Action-Not Available
Vendor-Insteon Technologies, Inc
Product-insteon_hub_firmwareinsteon_hubInsteon Hub Firmware
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-27651
Matching Score-4
Assigner-Synology Inc.
ShareView Details
Matching Score-4
Assigner-Synology Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.33% / 55.48%
||
7 Day CHG~0.00%
Published-29 Oct, 2020 | 08:55
Updated-16 Sep, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2016-10670
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-16 Sep, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

windows-seleniumjar-mirror downloads the Selenium Jar file windows-seleniumjar-mirror downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-windows-seleniumjar-mirror_projectHackerOne
Product-windows-seleniumjar-mirrorwindows-seleniumjar-mirror node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10609
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-16 Sep, 2024 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

chromedriver126 is chromedriver version 1.26 for linux OS. chromedriver126 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-chromedriver126_projectHackerOneLinux Kernel Organization, Inc
Product-chromedriver126linux_kernelchromedriver126 node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10678
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-16 Sep, 2024 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-serc.js_projectHackerOne
Product-serc.jsserc.js node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10631
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-17 Sep, 2024 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jvminstall is a module for downloading and unpacking jvm to local system. jvminstall downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-jvminstall_projectHackerOne
Product-jvminstalljvminstall node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10662
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-17 Sep, 2024 | 02:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

tomita is a node wrapper for Yandex Tomita Parser tomita downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-tomita_projectHackerOne
Product-tomitatomita node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10627
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-16 Sep, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

scala-bin is a binary wrapper for Scala. scala-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-scala-bin_projectHackerOne
Product-scala-binscala-bin node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10645
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-17 Sep, 2024 | 02:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

grunt-images is a grunt plugin for processing images. grunt-images downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-grunt-images_projectHackerOne
Product-grunt-imagesgrunt-images node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10575
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-17 Sep, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kindlegen is a simple Node.js wrapper of the official kindlegen program. Kindlegen versions before 1.1.0 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-hakatashiHackerOne
Product-kindlegenkindlegen node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2017-16040
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-16 Sep, 2024 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-gfe-sass_projectHackerOne
Product-gfe-sassgfe-sass node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2017-16003
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.70% / 72.10%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-17 Sep, 2024 | 03:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-windows-build-tools_projectHackerOne
Product-windows-build-toolswindows-build-tools node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2017-16035
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.18% / 38.73%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-17 Sep, 2024 | 01:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.

Action-Not Available
Vendor-hubspotHackerOne
Product-hubl-serverhubl-server node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-11404
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.31% / 53.93%
||
7 Day CHG~0.00%
Published-21 Apr, 2019 | 16:06
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.

Action-Not Available
Vendor-arrow-ktn/a
Product-arrown/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2019-11405
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.19% / 40.34%
||
7 Day CHG~0.00%
Published-21 Apr, 2019 | 16:07
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenAPI Tools OpenAPI Generator before 4.0.0-20190419.052012-560 uses http:// URLs in various build.gradle, build.gradle.mustache, and build.sbt files, which may have caused insecurely resolved dependencies.

Action-Not Available
Vendor-openapi-generatorn/a
Product-openapi_generatorn/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2016-10654
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.16% / 36.81%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-16 Sep, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

sfml downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

Action-Not Available
Vendor-sfml_projectHackerOne
Product-sfmlsfml node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10659
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-16 Sep, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

poco - The POCO libraries, downloads source file resources used for compilation over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-macchinaHackerOne
Product-pocopoco node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10671
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-16 Sep, 2024 | 23:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mystem-wrapper is a Yandex mystem app wrapper module. mystem-wrapper downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-mystem-wrapper_projectHackerOne
Product-mystem-wrappermystem-wrapper node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10625
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.52% / 66.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-17 Sep, 2024 | 03:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

headless-browser-lite is a minimal npm installer for phantomjs and slimerjs with no external dependencies. headless-browser-lite downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-headless-browser-lite_projectHackerOne
Product-headless-browser-liteheadless-browser-lite node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10638
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-16 Sep, 2024 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

js-given is a JavaScript frontend to jgiven. js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-js-given_projectHackerOne
Product-js-givenjs-given node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10637
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-17 Sep, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

haxe-dev is a cross-platform toolkit. haxe-dev downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-haxeHackerOne
Product-haxe-devhaxe-dev node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10636
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-16 Sep, 2024 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

grunt-ccompiler is a Closure Compiler Grunt Plugin. grunt-ccompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-grunt-ccompiler_projectHackerOne
Product-grunt-ccompilergrunt-ccompiler node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10657
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-17 Sep, 2024 | 03:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

co-cli-installer downloads the co-cli module as part of the install process, but does so over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-co-cli-installer_projectHackerOne
Product-co-cli-installerco-cli-installer node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10656
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-17 Sep, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

qbs is a build tool that helps simplify the build process for developing projects across multiple platforms. qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-qbs_projectHackerOne
Product-qbsqbs node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10612
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.52% / 66.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-17 Sep, 2024 | 02:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dalek-browser-ie-canary is Internet Explorer bindings for DalekJS. dalek-browser-ie-canary downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-dalekjsHackerOne
Product-dalekjsdalek-browser-ie-canary node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10610
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.16% / 36.81%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-17 Sep, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

unicode-json is a unicode lookup table. unicode-json before 2.0.0 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.

Action-Not Available
Vendor-unicodeHackerOne
Product-unicode-jsonunicode-json node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10695
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-16 Sep, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The npm-test-sqlite3-trunk module provides asynchronous, non-blocking SQLite3 bindings. npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-mapboxHackerOne
Product-npm-test-sqlite3-trunknpm-test-sqlite3-trunk node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10635
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-16 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

broccoli-closure is a Closure compiler plugin for Broccoli. broccoli-closure before 1.3.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-broccoli-closure_projectHackerOne
Product-broccoli-closurebroccoli-closure node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10624
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.52% / 66.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-16 Sep, 2024 | 23:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

selenium-chromedriver is a simple utility for downloading the Selenium Webdriver for Google Chrome selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-selenium-chromedriver_projectHackerOne
Product-selenium-chromedriverselenium-chromedriver node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10640
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-17 Sep, 2024 | 03:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-thulac is a node binding for thulac. node-thulac downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-geoheyHackerOne
Product-node-thulacnode-thulac node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10622
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-17 Sep, 2024 | 03:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nodeschnaps is a NodeJS compatibility layer for Java (Rhino). nodeschnaps downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-nodeschnaps_projectHackerOne
Product-nodeschnapsnodeschnaps node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10634
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-16 Sep, 2024 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

scala-standalone-bin is a Binary wrapper for ScalaJS. scala-standalone-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-scalajs-standalone-bin_projectHackerOne
Product-scalajs-standalone-binscalajs-standalone-bin node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10633
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.52% / 66.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dwebp-bin is a dwebp node.js wrapper that convert WebP into PNG. dwebp-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-dwebp-bin_projectHackerOne
Product-dwebp-bindwebp-bin node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10685
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-16 Sep, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pk-app-wonderbox is an integration with wonderbox pk-app-wonderbox downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-pk-app-wonderbox_projectHackerOne
Product-pk-app-wonderboxpk-app-wonderbox node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10681
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.66% / 71.20%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-17 Sep, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-robotwebtoolsHackerOne
Product-roslibjsroslib-socketio node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2016-10675
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.73% / 72.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 16:00
Updated-17 Sep, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libsbmlsim is a module that installs linux binaries for libsbmlsim libsbmlsim downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-libsbmlsim_projectHackerOne
Product-libsbmlsimlibsbmlsim node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
CVE-2018-5261
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.05% / 14.43%
||
7 Day CHG~0.00%
Published-02 Feb, 2018 | 21:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session, the server and client disclose sensitive information, such as the authentication credentials, to any man-in-the-middle (MiTM) listener.

Action-Not Available
Vendor-flexensen/a
Product-diskbossn/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2016-10587
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.52% / 66.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 18:00
Updated-16 Sep, 2024 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wasdk is a toolkit for creating WebAssembly modules. wasdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Action-Not Available
Vendor-wasdk_projectHackerOne
Product-wasdkwasdk node module
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-310
Not Available
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found