@saltcorn/server@1.0.0-beta.15 vulnerabilities

Server app for Saltcorn, open-source no-code platform

latest version

1.0.0
latest non vulnerable version

1.0.0
first published

4 years ago
latest version published

a day ago
licenses detected
- MIT
  >=0
View @saltcorn/server package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @saltcorn/server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Directory Traversal @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to Directory Traversal via the `sync/clean_sync_dir` endpoint due to improper sanitization of `dir_name` POST parameter. An attacker can delete arbitrary files on the server by sending a crafted request with manipulated directory paths. How to fix Directory Traversal? Upgrade `@saltcorn/server` to version 1.0.0-beta.16 or higher.	<1.0.0-beta.16
M Cross-site Scripting (XSS) @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the event log handling mechanism. An attacker can manipulate the output of the event logs and execute arbitrary scripts in the context of the user's browser by injecting malicious payloads into the event data that is not properly sanitized before being displayed. How to fix Cross-site Scripting (XSS)? Upgrade `@saltcorn/server` to version 1.0.0-beta.16 or higher.	<1.0.0-beta.16

Directory Traversal

@saltcorn/server is a Server app for Saltcorn, open-source no-code platform

Affected versions of this package are vulnerable to Directory Traversal via the sync/clean_sync_dir endpoint due to improper sanitization of dir_name POST parameter. An attacker can delete arbitrary files on the server by sending a crafted request with manipulated directory paths.

How to fix Directory Traversal?

Upgrade @saltcorn/server to version 1.0.0-beta.16 or higher.

<1.0.0-beta.16

Cross-site Scripting (XSS)

@saltcorn/server is a Server app for Saltcorn, open-source no-code platform

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the event log handling mechanism. An attacker can manipulate the output of the event logs and execute arbitrary scripts in the context of the user's browser by injecting malicious payloads into the event data that is not properly sanitized before being displayed.

How to fix Cross-site Scripting (XSS)?

Upgrade @saltcorn/server to version 1.0.0-beta.16 or higher.

<1.0.0-beta.16

Go back to all versions of this package

@saltcorn/server@1.0.0-beta.15 vulnerabilities

Server app for Saltcorn, open-source no-code platform

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities