Request a Demo
Rewterz
Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
November 4, 2021
Rewterz
Rewterz Threat Advisory – Multiple Cisco Products Vulnerabilities
November 5, 2021

Rewterz Threat Advisory – Multiple McAfee ePolicy Orchestrator Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-23820 

Node.js json-pointer module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer components. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

CVE-2021-23807 

Node.js jsonpointer module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer components. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

CVE-2021-23784 

Node.js tempura module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the esc function. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2021-23624 

Node.js dotty module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the path parameter. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

CVE-2021-23509 

Node.js json-ptr module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer parameter. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

CVE-2021-23472 

Node.js bootstrap-table module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Impact

  • Code Execution
  • Cross-Site Scripting

Affected Vendors

Node.js

Affected Products

  • Node.js json-pointer 0.6.1
  • Node.js jsonpointer 4.1.0
  • Node.js tempura 0.3.2
  • Node.js dotty 0.1.1
  • Node.js json-ptr 2.2.0
  • Node.js bootstrap-table 1.18.3

Remediation

Upgrade to the latest version of jsonpointer, available from the NPM Web site.

https://www.npmjs.com/package/json-pointer