Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2016-10532

UNKNOWN
Published 2018-05-31T20:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2016-10532. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

console-io is a module that allows users to implement a web console in their application. A malicious user could bypass the authentication and execute any command that the user who is running the console-io application 2.2.13 and earlier is able to run. This means that if console-io was running from root, the attacker would have full access to the system. This vulnerability exists because the console-io application does not configure socket.io to require authentication, which allows a malicious user to connect via a websocket to send commands and receive the response.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

console-io node module

Affected Versions:

<=2.2.13

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

Authentication Bypass in console-io

GHSA-q52j-4q2q-hcj6

Advisory Details

Affected versions of the `console-io` package do not configure the underlying websocket library to require authentication, resulting in an authentication bypass vulnerability. As `console-io` allows terminal access on the server via a web page, an authentication bypass is essentially remote code execution. ## Recommendation Update to version 2.3.0 or later.

Affected Packages

npm console-io
ECOSYSTEM: ≥0 <2.3.0

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-10532
ADVISORY https://github.com/advisories/GHSA-q52j-4q2q-hcj6
WEB https://www.npmjs.com/advisories/90

Advisory provided by GitHub Security Advisory Database. Published: February 18, 2019, Modified: September 16, 2021

References

https://nodesecurity.io/advisories/90
Published: 2018-05-31T20:00:00Z
Last Modified: 2024-09-16T22:03:05.480Z
Copied to clipboard!