Page Contents
The following pages are tagged with
| Title | Excerpt |
|---|---|
| Security advisory 01-31-2018 | Security risk: Medium (CVSS: 4.3) Vulnerability: Prevent unauthorized alteration of records on same table Description In a Many-to-Many relationship, it was possible for an authenticated user to edit the foreign keys of records to transfer ownership. Example: A Physician has many appointments with many patients. Physician 1 can create... |
| Security advisory 03-10-2017 | Security risk: Medium-high Vulnerability: loopback-component-storage to directory traversal attack Description A security leak exposing loopback-component-storage to directory traversal attack. The component was exposed to a vulnerability where an attacker could use a command to retrieve the content of the server.js file of a LoopBack application and... |
| Security advisory 08-08-2018 | Security risk: High (CVSS: 7.7) Vulnerability: AccessToken API (if exposed) allows anyone to create a Token Description LoopBack provides a built-in User management / authentication and authorization solution. As part of this solution, a User must have an AccessToken to authenticate themselves against APIs requiring authentication /... |
| Security advisory 08-15-2018 | Security risk: High (CVSS: 7.1) Vulnerability: loopback-connector-mongodb allows NoSQL Injections Description MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property... |
| Security advisory 09-21-2017 | Security risk: Medium Vulnerability: Remote Memory Exposure Description Remote memory exposure in nano@6.3.0. Nano was using package follow that has 2 packages with reported node security vulnerability. Packages are: request@2.55.0 hawk@2.3.1 Our module loopback-connector-couchdb2 use the affected versions. Also, loopback-connector-cloudant use couchdb2... |
| Security advisory 10-24-2017 | Security risk: Medium Vulnerability: Multi-user password reset exploit Description When multiple User models were deployed it was possible for a resetToken for UserA to be used to reset the password for UserB or vice-versa. See issue for more details. Reported by GitHub user |