OSS Index Helpclose
An open index of open source

 Welcome to the NuGet Start Page

Posted by OSS-Index on May 15, 2016

Quick access to NuGet auditing tools, search, and recent NuGet activity on OSS Index.

 Recent news...


NuGet package vulnerability: python-embed

[CVE-2016-4000] Deserialization of Untrusted Data
Wed Aug 02 20:02:46 EDT 2017

Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.




NuGet package vulnerability: jquery.jstree

Cross Site Scripting (XSS)
Wed Aug 02 18:53:48 EDT 2017

> When using inline HTML to populate the tree, if the nodes contain HTML entities, the node text will contain those entities even though they aren't rendered. > > – github.com




NuGet package vulnerability: node-uuid

Insufficiently Random Values
Sun Jul 30 10:41:56 EDT 2017

This package uses math.random, which is insufficient for security purposes.




NuGet package vulnerability: ckeditor-standard-all

`target=blank` vulnerability
Sun Jul 30 09:51:06 EDT 2017

> If a victim had access to a spoofed version of ckeditor.com via HTTP (e.g. due to DNS spoofing, using a hacked public network or mailicious hotspot), then when using a link to the ckeditor.com website it was possible for the attacker to change the current URL of the opening page, even if the opening page was protected with SSL. > > – github.com




NuGet package vulnerability: jQuery

Exceeding Stack Call Limit DoS
Sat Jul 29 22:35:15 EDT 2017

> In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0. Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit. > > – nodesecurity.io




NuGet package vulnerability: Plotly

Cross Site Scripting (XSS)
Sat Jul 29 22:28:22 EDT 2017

> If an attacker can trick an unsuspecting user into viewing a specially crafted plot on a site that uses plotly.js, then the attacker could potentially retrieve authentication tokens and perform actions on behalf of the user. > > – nodesecurity.io




NuGet package vulnerability: Magick.NET-Q16-AnyCPU

[CVE-2017-11450] Improper Input Validation
Thu Jul 20 11:53:25 EDT 2017

coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via JPEG data that is too short.




NuGet package vulnerability: Magick.NET-Q16-x64

[CVE-2017-11446] Resource Management Errors
Thu Jul 20 11:48:08 EDT 2017

The ReadPESImage function in coders\pes.c in ImageMagick 7.0.6-1 has an infinite loop vulnerability that can cause CPU exhaustion via a crafted PES file.




NuGet package vulnerability: Magick.NET-Q16-x64

[CVE-2017-11447] Resource Management Errors
Thu Jul 20 11:47:47 EDT 2017

The ReadSCREENSHOTImage function in coders/screenshot.c in ImageMagick before 7.0.6-1 has memory leaks, causing denial of service.




NuGet package vulnerability: Magick.NET-Q16-AnyCPU

[CVE-2017-11449] Improper Input Validation
Thu Jul 20 11:45:13 EDT 2017

coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable streams and thus cannot validate blob sizes, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an image received from stdin.